Re: enterprise change/configuration management and compliance software?
Well, at Exodus we started talkimg about IASON. In the long run everybody was afraid of IASON. They dared not work on it. Later I developed some bits and parts. When we changed hardware in a small company (200 PCs, 20 servers 5 HP Procurve switches and two routers) IASON would discover the switches as fast as they were powered and would move them to a management network. Operators and management were not amused. IASON was changing passwords and ip-addresses :) That has been the only try. They idea is still a prolog based AI system, learning and knowing every hardware, how it is configures and connected. You move a PC from one location to another because people do move or because a port on a switch has gone dead. IASON reprogrammes switches and ports so you get the same VLAN. Somebody is replacing a switch for whatever reason. IASON finds the new switch and sees the connected pcs and uplinks. It reconfigures the switch so as to replace the old one. You do net even need to mind where everything was connected. IASON can change across vendors. I guess it will take same time - but in the long run we will get it and it will be open source. Kind regards Peter Phil Regnauld wrote: jamie (j) writes: ` device, and by 'device' i mean router and/or switch) configuration management (and (ideally) compliance-auditing_and_assurance) software. We currently use Voyence (now EMC) and are looking into other options for various reasons, support being in the top-3 ... So I guess using something tried, tested and free like Rancid + ISC's audit scripts are not within scope ? So, I pose: To you operators of multi-hundred-device networks : what do you use for such purposes(*) ? Rancid :) (+ and now some home developed stuff) This topic seemed to spark lively debate on efnet, The current weather would spark lively debate on most IRC channels. Phil -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Problems sending mail to yahoo?
Roger Marquis wrote: Sounds like the party line inside Yahoo, but there are plenty of ISPs that do a really good job of combating spam. They do it with standard tools like RBLs, Spamassassin, OCR, ClamAV and without ineffective diversions like SPF or DKIM. Seen from inside, it is not spamfilters but it is the routing table. I have seen spam dropping by 98% when zerorouting some networks. Nobody complained about false positives :) But this is another story for the big ones. They might have customers. The problem is that it is an art, not well documented (without reading 5 or 6 sendmail/postfix and anti-spam mailing lists for a several years), is not taught in school (unlike systems and network administration), and rarely gets measured with decent metrics. That is true. Plus the rules are constantly changeing. Not that spam really has much to do with network operations, well, except perhaps for those pesky Netcool/Openview/Nagios alerts... At the edge it does. It can bring your VoIP down and video on demand. I know from campus networks who improved p2p service when zerorouting networks known for sending spam. Peter -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Mitigating HTTP DDoS attacks?
On Mon, Mar 24, 2008 at 11:34:58PM +, Paul Vixie wrote: i only use or recommend operating systems that have their own host based firewalls. That was exactly my problem. Barney Wolff wrote: What finally broke was doing a table list, possibly because the command prints in sorted order. Happened to me too. First step: Borrowed sort.c from Minix. Next step: Large swap file. Finally: changed the distribution. sort is one the biggest hidden problems. There are broken sorts around, I guess some of the problems are character set specific. There is no more EBCDIC but UTF-8 and UTF-16 are even worse. Related to sort, you may have more than enough memory or swap but your process wont get it. You can avoid sorting by looking into the /proc files. proc2pl might get you ideas, from the ISAON tools on http://iason.site.voila.fr/ You might even sort or grep the output and you can always do that on a machine that is not your router. Kind regards Peter -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: wanted: offshore hosting
That depends on your legislation: There are a lot of things forbidden in the US but allowed in Europe as well as a lot of things allowed in the US but prohibited in Europe. Then there are a lot of misunderstangs like accidently or colaterally censoring. I remeber a physicist beeing banned in germany who could have saved lives and who could have prevented a lot of people from beeing put into lunatic asylums. Or maybe he is simply afraid of google. After all you can be sent to prison if your judge does not know how google works but your enemy does. A relatively good place seems to be Québec - they dont know english ... A really good place seems to be The Netherlands - they dont even know they dont know english. They both are save havens as long as your activity as not criminal. Another good place seems to be Burma. Not even google can look inside there. Sorry that is a bad one. Even France can be a save place. E.g. I had to leave germany wirh http://iason.site.voila.fr because IASON is considered a terrorist tool in germany. The interesting law in germany is StGB 202c. Kind regards Peter and Karin Hex Star wrote: On 10/9/07, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hello all. Last time I asked for a hosting place, I ended up going with LayeredTech, but I can give you a list of options if you like. So, I'd like to rent a box somewhere outside of the US, for geographic redundancy and other reasons. Must be dedicated hosting, relatively cheap bandwidth, lots of space (500GB?), allow us to run Debian Linux, take US credit cards. No tech support other than rebooting the box needed. I'd prefer if they spoke English, but weren't in the UK or US. I could deal with it if they only spoke Spanish. A reputable Brazilian shop would be nice, but I'm pretty open to any suggestions. Does anyone have good experience with any outfits that match this description? Are you seeking this for legal intentions or...? As I doubt this list condones the seeking of hosting for illegal purposes -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Operational Feedback Requested on Pending Standard
Hi Ted, develloping IASON I did run into that problem. Among other things IASON was meant to read the configuration of a device and the things connected to it. When e.g. a switch port was bad, a device was unplugged and plugged into another port, then IASON was meant to reconfigure the switch, vpn and parameters, so that the device could run as if nothing had changed. Most dramatically IASON would allow you to replace a CISCO by an HP ProCurve switch and automatically configure everything as soon as the device was switched on (DHCP and bootp). IASON would discover any device that was asking for DHCP and bootp to query an initial configuration then it would look through its ports and MAC lists to see where it was connected and what devices where connected Of course IASON would work with ifIndex not with ifName as these are different from manufacturer to manufacturer - and definitely not ifAlias because IASON would configure the device before an operator could see it. I might teach IASON to use ifName and keep tables for the different hardware but definitely not ifAlias. Well, neither Global Crossing nor Exodus cared for IASON so the snmp part was never finished and IASON only used snmpwalk to scan devices. I remember the faces of two operators at a new installation when they plugged in three new switches and IASON immediately moved them to a vpn where the operators could not find them. As soon as they plugged in a service laptop it would connect that laptop to the NOC vpn but they would never see the management port. Of course IASON had already issued new passwords, so rs232 would not help them either :) Cheers Peter and Karin Ted Seely wrote: All, Below is an email sent to the IETF OPS Area mailing list soliciting feedback from operators regarding firewalls. We would also appreciate feedback from the Operators Mailing Lists. Please respond to the OPS Area mailing list if you have a position on the item below. You can subscribe to the Operations and Management Area mailing list at the URL below if you are not already subscribed. https://www.ietf.org/mailman/listinfo/ops-area On behalf of the OPS Area Directors and myself, thank you. Ted - With OPS Area WG Hat On -- During the final review phases of the review of http://www.ietf.org/internet-drafts/draft-ietf-midcom-mib-09.txt the issue described below surfaced. It is actually not completely new, it was discussed in the past in a form or another, and it is not necessarily specific to this document and MIB module only, but also to other MIB modules. We believe that input from network operators can help, and we solicit this input. The MIDCOM-MIB defines tables containing firewall rules, indexed by ifIndex. ifIndex values can change when interfaces are swapped or devices reboot, and this could lead to rules being applied to the wrong interface. How do you, network operators, prefer interfaces be identified? - Is ifIndex the preferred choice even though the indices can change on reboot? - Is ifName a better choice for identifying interfaces in rules, since it is set by the device and remains fairly stable across reboots and is guaranteed to be unique? - is ifAlias a better choice, since it can be set by operators, although it is not guaranteed to be unique? We would appreciate inputs and thank you for your cooperation. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: IPv6 network boundaries vs. IPv4
John Osmon wrote: Is anyone out there setting up routing boundaries differently for IPv4 and IPv6? I'm setting up a network where it seems to make sense to route IPv4, while bridging IPv6 -- but I can be talked out of it rather easily. Years ago, I worked on a academic network where we had a mix of IPX, DECnet, Appletalk, and IP(v4). Not all of the routers actually routed each protocol -- DECnet wasn't routable, and I recall some routers that routed IPX, while bridging IP... This all made sense at the time -- there were IPX networks that needed to be split, while IP didn't need to be. DECnet was... DECnet -- and Appletalk was chatty, but useful. I keep hearing the mantra in my head of: I want my routers to route, and my switches to switch. I agree wholeheartedly if there is only one protocol -- but with the mix of IPv4 and IPv6, are there any folks doing things differently? With a new protocol in the mix are the lessons of the last 10 (or so) years not as clear-cut? Hi John, I remember old DECNET, DDCMP, IPX and NetBios days. I used to have a couple of 19.2 kilobaud async lines, 2 arcnets and an ethernet (thinwire technology but on RG13U cables, almost yellow wire and UHF connectors - PL-259 like CB-radio). DDCMP could route, IPX could and NetBios was riding on either IPX or DDCMP so it did not matter. Later the DDCMP async was replaced with a lots of switches and repeaters. Whe used to have a backbone (yellow cable) connecting two VAXes and a repeater that was feeding some 8 thinwires. Half of the thinwires were feeding DECNET Terminalservers and PCs the other half were IPX with a single one Netware server and lots of PCs. In its best times the network was seeing some 1000 hosts. Everything was running 10 MBit ethernet. there were 9 segments and no routers. I have seen you could put some 30 NetBios PCs into a single segment or more than 200 DECNET hosts if they were connected via switches and thinwire transceivers. Today without thinwire or yellow cable and with switches that can do 1 Gbit between switches and 100 Mbit to devices you should be able to keep some 1000 hosts within a single switched network. NAT-routers seem to have a limit of some 250 hosts within a single 255.255.255.0 network. I dont know if those boxes really can do 250 or if their MAC address tables break even earlier. I have seen those boxes missbehave when a bad ethernet adapter randomly changed its MAC address. There are quite some link local things in IPv6 so it makes a lot of sense to keep them within a single network - beside that nasty /64 habit that suggests forget radvd and automatic addresses but have an IPv4 address of the 192.168... variety and use 6to4 adressing for your local network. I was running my own network, 4 IPv4 networks and 3 IPv6 networks without routers, only switches :) the 6to4 trick helped me survive but now I dont know if the IPv6 boxes were really seeing each other other simply using 6to4 routes :) Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: SpamHaus Drop List
I hope this mail does not go out twice. Accidently used the wrong mailer. Sean Donelan wrote: On Thu, 23 Aug 2007, Paul Vixie wrote: Does anyone use spamhaus drop list ? http://www.spamhaus.org/drop/index.lasso i do. I'm glad to listen opinions or experience. no false positives yet. mostly seems to drop inbound tcp/53. Waving a dead chicken over your computer will have no false positives too. Is it a placebo or does it actually have an effect? Although very little good or bad will come from those networks, just like the various BOGON lists, the Spamhause DROP list does require maintenance. If you don't have a process in place to maintain it even after you are gone, proceed with caution. If you do have a process in place, not only for routing but also for your new customer order process, it is a useful source of information. I had to get rid of some people who notoriously brought my exim down. Here is my personal list: 212.22.0.0 * 255.255.255.0 U 0 00 eth0 218.174.212.0 * 255.255.255.0 U 0 00 eth0 218.167.73.0* 255.255.255.0 U 0 00 eth0 62.227.222.0* 255.255.255.0 U 0 00 eth0 219.91.64.0 * 255.255.255.0 U 0 00 eth0 219.91.92.0 * 255.255.255.0 U 0 00 eth0 122.116.17.0* 255.255.255.0 U 0 00 eth0 Dont copy it without knowing what you are doing. I did not mind losing something. I lost all spammers using my system as a relay. I did not find any of my routes in the DROP list. No good for me. I remember friends telling me they got rid of SpamHaus because it killed too many legal emails - but that was not the DROP list. My router keeps telling me - the more routes, the slower it gets. I guess with 120 routes it gets slowly enough for all spammers to time out :) Remember the US is a republic. The UK is an old-fashioned monarchy and their legal system might not be compatible with what you expect :) Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Client information?
Thank you for helping my english a bit. Found the right word - reservoir, but I guess swimming pool is better. With IPv6 controling sinks and toilets, why not? Dont tell the environmentalists. Cheers Peter and Karin Jay Hennigan wrote: Carl Karsten wrote: I guess yes. They might implement a non swimmers basin for the windows people and a sharks only basin for the rest of us. what is a non swimmers basin ? A toilet? Or maybe a kiddie wading pool. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Client information?
Paul Atkins wrote: Hello, I am a network researcher. One question I want to ask the ISPs here are that if they have a choice of finding more information about the hosts that connect to them, is it something they will like to spend money on? For example if the ISP can find out what applications is the host running etc. would it be useful for the ISPs? Thanks I am not exactly an ISP. Sometimes somebody is nocking at my door. If it sounds like they are knocking with a pick and a hoe, I forget about good manners and ask back with nmap. Depending an what IASON and nmap are reporting I might give botnet Gadi an email - but I dont take money for that sevice nor is that so interesting I would pay money to know more. And I see netbios ports open most of the time, so I guess it must be windows mostly and the application is a bot. The friendlier guys keep telling me their os and browser via the html interface. If they disguise a Linux Konqeror as a Winows IE that is no big problem. Would it be useful for ISPs? I guess yes. They might implement a non swimmers basin for the windows people and a sharks only basin for the rest of us. But I as a costumer would not want that. And paying money for that sevice - beware. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Client information?
Carl Karsten wrote: I guess yes. They might implement a non swimmers basin for the windows people and a sharks only basin for the rest of us. what is a non swimmers basin ? Hi Carl, in germany our public swimming pools have pools for swimmers and pools for people who cannot swim. If swimmers accidently fall into the the non swimmers and get drowned by all those non swimmers permanently plunging onto them, its their problem and not a fault of the people running the pool :) The shark basin and the non swimmers basin are very much used in popular language here - but maybe my translation is horrible. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: An Internet IPv6 Transition Plan
Scott Francis wrote: On 7/29/07, Peter Dambier [EMAIL PROTECTED] wrote: Ways have been found to drill holes into NAT-routers and firewalls, but they are working only as long as it is only you who wants to break out of the NAT. As soon as the mainstream has only left rfc 1918 addresses p2p will stop. really? http://samy.pl/chownat/ NAT stops nothing. The concept in the above script (which has been around for several years) would be trivial for any P2P software to implement if it detects it is behind a NAT; in fact, this method may well be in use already. I have read that is what skype is doing and probably some troyans. Still you have to talk to your NAT-router and the other party has to talk to their NAT-router to make those two NAT-routers talk to each other. When those two router cannot see each other because they too are living behind NAT then you have got a problem. I guess you can solve it but the number of ports is limited and things get a lot trickier. When you try to get out of the big NAT (china) then the number of available ports versus the number of users who want to get out - is the limit. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: An Internet IPv6 Transition Plan
Stephen Wilcox wrote: ... Firstly, all p2p nets use some process to register with the network. It is simple to imagine a way to ensure these superpeers are publically addressed and let them coordinate the NATted hosts. e.g. dyndns (no-ip.com) or OpenDHD and other not so wellknown. Bots very often use IRC channels, also not strictly p2p, sometimes. You may not like them (I dont) but they still are p2p applications, if not the most popular. Secondly, there is no big NAT in china. China is meant as a bad example. They will be the first to grow out of IPv4 space and their IPv9 is kind of a big NAT. And even if there was, very large private networks should flourish for p2p sharing amongst each other. Indeed if the island is becomming big enough. But there is no communication to the outside. I think you're trying to demonstrate NAT to be a security mechanism and its long been known that that is not the case. No, I think NAT is a pain in the backside and should never have been. Indeed a lot of fools get tricked into believing NAT is kind of a firewall. It is like closing your eyes so the attacker cannot see you. Talking about spam and malware going away with NAT behind NAT ... I meant communication via email would go away in the first place. I should have marked that as sarkasm. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: An Internet IPv6 Transition Plan
Petri Helenius wrote: Stephen Wilcox wrote: Now, if you suddenly charge $2.50/mo to have a public IP or $15/mo for a /28 it does become a consideration to the customer as to if they _REALLY_ need it Where would this money go to? To ip-squatters. Get your allocation now and turn it into gold tommorow. p2p people will be happy if they can get rid of their tunnels. With rfc 1918 addresses for all there will be no more filesharing, voip, spam and troyans. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: An Internet IPv6 Transition Plan
Stephen Wilcox wrote: On Sun, Jul 29, 2007 at 10:50:10AM +0200, Peter Dambier wrote: p2p people will be happy if they can get rid of their tunnels. With rfc 1918 addresses for all there will be no more filesharing, voip, spam and troyans. really? because p2p doesnt work behind NAT, and computers behind NAT dont get infected? this is the Internet today and NAT has no effect on the above. I am pessimistic. The malware will find its way. It is port 25 smtp that goes away and takes part of the spam away too. Ways have been found to drill holes into NAT-routers and firewalls, but they are working only as long as it is only you who wants to break out of the NAT. As soon as the mainstream has only left rfc 1918 addresses p2p will stop. I see lots of p2p-ers already communicating via IPv6 tunnels. They are prepared. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: DNS Hijacking by Cox
Mattias Ahnberg wrote: Peter Dambier wrote: The problem is, you dont know what is behind that probably NATted ip address. Probably you have 3 unix machines running smtp and uucp and a single infected windows box and maybe some VoIPs and ... This is why I spoke of merely intercepting web traffic to inform, to not interrupt other services that may use the same link. I am in the same situation myself, sharing lots of stuff via the same fiber to my house. I even have TV through it. So I actually thought of that. You are right. Intercepting is mostly harmless. And an ISP probably knows a bit more about their customer base than what we do, so this idea would ofcourse have to adapt to that. But as said, its a complicated matter and probably not a good idea either way before we know who is supposed to do what and for whom. Having been a costumer to some ISPs and communicating with others, I dont agree. At least concerning email they dont have a clue about their costumers and there are others things like uucp, VoIP and p2p or IPv6 tunnels they dont have either. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: DNS Hijacking by Cox
The problem is, you dont know what is behind that probably NATted ip address. Probably you have 3 unix machines running smtp and uucp and a single infected windows box and maybe some VoIPs and ... You kill everything but that single maudit infected windows. The guy who is running the windows box is Dad and he wont come home before the weekend. Oh, you killed the VoIP. Sorry I cannot fone Dad and tell him his pc is infected. You might as well hit a small business with some 50 workstations. Again you hit their VoIP and maybe their VPN so their outsourced system manager cannot dial in and try to repair things. Maybe it would teach them not to get infected but I would not want to be their ISP. Of course we are only talking about IRC but which botherder is depending on IRC only? Kind regards Peter and Karin Mattias Ahnberg wrote: James Hess wrote: I suspect it would be most useful if detected drones by most major IRC network would be visible to cooperating ISPs for further analysis, not just Undernet. I'd dare to say that most of us major networks hardly see a small percentage of the big botnets around, the miscreants have since a long time back learned to use own CCs where the connected IPs of a connected client is hidden from all but themselves. But it certainly would not hurt if there was a good way to report drones to ISPs and actually get some attention to the problem. A bunch of small streams quickly build up to a larger river in the end, I guess. Perhaps a larger issue for the ISPs is what to actually DO with their infected customers. To what extent is the ISP responsible for what their users do and how their computers are setup? I do not have a clear answer to that. Since almost every user is using the web a nice system could be to redirect reported PCs through a proxy the ISP controls where the user can get information about what to do about problems and at the same time still reach the Internet after chosing to click away the information; or something along those lines. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: trans-Atlantic latency?
Neal R wrote: I have a customer with IP transport from Sprint and McLeod and fiber connectivity to Sprint in the Chicago area. The person making the decisions is not a routing guy but is very sharp overall. He is currently examining the latency on trans-Atlantic links and has fixed on the idea that he needs 40ms or less to London through whatever carrier he picks. He has spoken to someone at Cogent about a point to point link. What is a reasonable latency to see on a link of that distance? I get the impression he is shopping for something that involves dilithium crystal powered negative latency inducers, wormhole technology, or an ethernet to tachyon bridge, but its been a long time (9/14/2001, to be exact) since I've had a trans-Atlantic circuit under my care and things were different back then. Anyone care to enlighten me on what these guys can reasonably expect on such a link? My best guess is he'd like service from Colt based on the type of customer he is trying to reach, but its a big muddle and I don't get to talk to all of the players ... I remember voiping over the pond, from Frankfurt, germany to New York. We had to twist asterisk to even accept the sip. Time was between 80 and 90 msec. The experienced time was higher. Roger, Over and Out with their interstallar hamradio experience could do it, but to a normal citizen it was unuseble. (dsl 1000 customer, close to Frankfurt) 1 krzach.peter-dambier.de (192.168.48.2) 2.918 ms 3.599 ms 3.926 ms 2 * * * 3 217.0.78.58 85.268 ms 85.301 ms 102.059 ms 4 f-ea1.F.DE.net.DTAG.DE (62.154.18.22) 102.092 ms 110.057 ms 126.310 ms 5 p2-0.core01.fra01.atlas.cogentco.com (212.20.159.38) 126.344 ms * * 6 * * * 7 p3-0.core01.ams03.atlas.cogentco.com (130.117.0.145) 132.262 ms 139.333 ms 147.174 ms 8 p12-0.core01.lon01.atlas.cogentco.com (130.117.0.198) 76.436 ms 76.444 ms 84.374 ms 9 t1-4.mpd02.lon01.atlas.cogentco.com (130.117.1.74) 99.840 ms 99.873 ms 107.508 ms 10 t3-2.mpd01.bos01.atlas.cogentco.com (130.117.0.185) 209.678 ms 217.428 ms 225.601 ms 11 t2-4.mpd01.ord01.atlas.cogentco.com (154.54.6.22) 233.514 ms * * 12 vl3491.mpd01.ord03.atlas.cogentco.com (154.54.6.210) 243.741 ms * * 13 * * * 14 ge-1-3-0x24.aa1.mich.net (198.108.23.241) 165.776 ms 174.752 ms 193.770 ms 15 www.merit.edu (198.108.1.92)(H!) 193.812 ms (H!) 201.863 ms (H!) 209.704 ms (colo in Amsterdam) 1 205.189.71.253 (205.189.71.253) 0.227 ms 0.257 ms 0.227 ms 2 ge-5-2-234.ipcolo1.Amsterdam1.Level3.net (212.72.46.165) 0.985 ms 0.811 ms 0.856 ms 3 ae-32-54.ebr2.Amsterdam1.Level3.net (4.68.120.126) 4.235 ms 6.575 ms 1.360 ms 4 ae-2.ebr2.London1.Level3.net (4.69.132.133) 19.097 ms 12.816 ms 18.220 ms 5 ae-4.ebr1.NewYork1.Level3.net (4.69.132.109) 78.197 ms 78.769 ms 87.062 ms 6 ae-71-71.csw2.NewYork1.Level3.net (4.69.134.70) 78.068 ms 79.058 ms 89.192 ms 7 ae-22-79.car2.NewYork1.Level3.net (4.68.16.68) 142.665 ms 135.007 ms 214.243 ms 8 te-7-4-71.nycmny2wch010.wcg.Level3.net (4.68.110.22) 75.824 ms 75.695 ms 76.566 ms 9 64.200.249.153 (64.200.249.153) 282.356 ms 138.384 ms 243.104 ms 10 * * * 11 * * * 12 * * * 13 * * * 14 www.merit.edu (198.108.1.92) 112.906 ms !C 110.515 ms !C 113.418 ms !C Try Switch (swizzerland) they are testing warp tunnels - but not producting yet :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Broadband routers and botnets - being proactive
Ross Hosman wrote: Gadi, I appreciate your well thought out email but I sit here and wonder what exactly you are trying to accomplish with it? Are you just trying to shame the two ISPs listed publicly or are you trying to spark a discussion about something that many people here can't fix? Many businesses today are focused on driving revenue and fixing old CPE equipment doesn't generate revenue, it only ties up money and resources that can be used elsewhere to drive revenue. If I were you I would try to spin this problem in a way where you can show large ISPs by fixing CPE's it will free up network resources and staff which can be used elsewhere. The people that can fix these problems are usually unaware of them so try to educate those people. Write CEOs/CTOs/CSOs educating them and push the security teams for these companies to escalate these issues to their upper management (on that note I would say this type of discussion would be better suited for a security mailing list for the reason I stated before, many people here can't fix these problems). Simply stating that there is a problem and shunning ISPs with this problem isn't a fix for the problem, it just makes them ignore you and the problem. -Ross Hi Ross, Gadi is talking about DTAG.de our biggest ISP in germany and quasi a monopoly. Gadi has reached the ears of the Pirates Party, a political party that fights monopolies. The hardware is very likely a branded version from AVM. They have no updates for the branded version, but you can unbrand it. Then you have a hardware that accepts open source firmware. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Cacti 0.8.6j Released (fwd)
Matthew Palmer wrote: On Tue, May 08, 2007 at 08:10:56PM -0700, matthew zeier wrote: and more to the point how the whole shebang (I'm using net-snmpd) is typically used. Agent on device provides values, management app(s) collect data by polling (and possibly via traps), sysadmin gets to go home on time for once. I have yet to see this work in practice however. Yeah, I misread 'typically' as 'theoretically'. Practical experience is more like: Agent on device lies about it's values, management apps collect lies (and ignore/lose traps), and the sysadmin has yet more software to swear at. grin - Matt Just for curiousities sake IASON is reading logs most of the time. proc2pl is reading the /proc filesystem. I did not find the time and equipment for testing so I used snmpwalk to write a file and read it just like any normal file or /proc. Processing the output of snmpwalk just got me the normal log file I was interested in. I tried writing back into snmp variables but I never got a HP Procurve switch to do what I wanted. When they used different MIBs for different families of their switches, I gave up. Now I see linux boxes most of the time. They all use different MIBs for different things. Reading /proc is much easier and there a fewer differences between the machines. The soho stuff I find mostly uses web interfaces sometimes a real linux with a real log but almost never snmp. Looks sad, but I am still interested as it could make things a lot easier. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec
Joe Maimon wrote: Jo Rhett wrote: On May 6, 2007, at 6:07 PM, Joe Maimon wrote: Of course, and thats why I have cut down ip mtu and tcp adjust mss and all the rest. Not making much of a difference. Um.. sorry if you mean more than you said, but where did you cut down the TCP MTU? If you did it on your routers, then you are creating or at least complementing the problem. On the CPE dialer interface. On the ezvpn dvti virtual-template The only way to make smaller MTUs work is to alter the MTU on both the origin and destination systems. Altering the MTU anywhere along the path only breaks things. Lower than 1500 mtu always requires some kind of hack in real life. That would be the adjust-mss which is the hack-of-choice I remember from my early DSL days, it was recommended to configure mtu=1480 on all interfaces connected to the internet or to the NAT-router. I remember at least the Grandstream ATA and DSL-NAT-router was brainded (lobotomized ICMP) enough simply to break connections when packets exceeded the 1480 bytes. Practically all german internet users are on dsl lines. Some smaller hosts with ftp or http servers are on dsl or tunnels, maybe with even smaller mtu. So mtu 1500 is practically the norm. Kind regards Peter and Karin Dambier -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
1500 does not work: Thoughts on increasing MTUs on the internet
Fred Baker wrote: ... 1500 byte MTUs in fact work. I'm all for 9K MTUs, and would recommend them. I don't see the point of 65K MTUs. ... Well, with almost everybody using PPP0E in germany and at least half of europe our mtu is somewhere arround 1480. Many routers are braindead (ICMP lobotomiced). When you hit somebody on an ip2ip link or IPv6 tunnel your mtu goes down to even smaller packets and things live ftp or ssh simply break. I have seen many gamers on mtu = 1024 and smaller. Kind regards Peter and Karin Dambier -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Abuse procedures... Reality Checks
J. Oquendo wrote: ... So to answer your question about fairness... It's not fair by any means, but it is effective. I see it as follows... Well, that's the reason why I have a gmail account and all my customers have. I can send even from my dynamic ip-address and still they let me in. They can send to my dynamic ip-address. Important mails are sent host to host. For the records are sent via gmail. There is no need for any other mail provider. They are blocking mails most of the time only allowing spam to get through. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Blocking mail from bad places
joej wrote: Greetings. While its a pretty brute force approach, one method I’m trying is to curtail the source of email. In otherwords, if smtp traffic comes from an unknown source it gets directed to a sendmail server that intentionally rejects the email message (550 with a informational message/url). If the email message comes from a “known� source (friend/family’s ISP) it gets routed to my main sendmail server which allows most email after checking for the obvious (non resolvable domains, blacklisted domains etc) using an access lists. I’ve cut down on Spam (including this account which I use solely for NANOG) to about 0. Granted the amount of valid email that can get rejected is high, but since I log the bounces on the drop server I can look for obvious rejects from good/expected email servers. Not by any means a solution to/for a large even medium size provider, but for a small home based setup it works well. Details at http://www.sumless.net/nsh.html Cheers, -Joe Blanchard Hi Joe, 1) You send bounces from spammers to innocent people, whose addresses have been forged. 2) Even if you modified the return address, so the bounce returns to the zombie, it does not make sense. Bots dont listen. Looks like you are adding to the noise and chance is good you are finding youself in a blacklist. 3) You are dropping valid emails. It might make more sense telling your friends not to send emails to port 25 but to port 26 if they want to get in. The spammers dont know how to switch to port 26. They will knock on the door once and go away. Another means would be switching to uucp. I have not seen any spam on our little uucp network yet. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: America takes over DNS
The Racines Libres have failed? There are so many out there that we cannot count them any longer. I think the only failure is the single point of failure root. They have failed to be trustworthy. It is so easy, get a copy of a trustworthy root-zone and run your own root. From time to time compare your root to the others and fix any diffs. Better take the authoritative servers and fix your root-zone. I have never seen a personal root-server attacked. The single point of failure root gets attacked once per hour, because every hour it is 8 o'clock in the morning on some place and all those windows boxes get switched on. Cheers Peter and Karin Dambier [EMAIL PROTECTED] wrote: The US Department of Homeland Security (DHS) ... wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The key-signing key signs the zone key, which is held by VeriSign. Very interesting because it is the second story on the list this weekend which highlights that DNS domain registries (and ultimately the root zone) are a single point of failure on the Internet. Wouldn't the holder of these keys be the only ones able to spoof DNSSEC? And if the criminal community ever cracks DHS (through espionage or bribery) to acquire these keys, what would be the result. I just don't see how adding another single point of failure to the DNS system, in the form of a master key, helps to strengthen the DNS overall. It is probably time to start looking at alternative naming systems. For instance, we have a much better understanding of P2P technology these days and a P2P mesh could serve as the top level finder in a naming system rather than having a fixed set of roots. We have a better understanding of webs of trust that we could apply to such a mesh. Given that the existing DNS is built around two disctinct classes of IP address, i.e. stable ones that always lead to a root nameserver, and unstable ones which lead to other Internet hosts, could we not design a more flexible naming system around that concept? Could we not have more than 13 stable IP addresses in the net? Could we not leverage something like route servers in order to find the root of a local naming hierarchy? Now that well-educated and technically sophisticated criminal groups are attacking the DNS on multiple fronts, we need to be looking at alternatives to DNS for naming hosts. We need to get such alternative systems out into the wild where they can be tested. To date, we have seen some small amount of innovative thinking around DNS that has been tested. For instance, alternative roots which have failed in the wild and anycasting which has been a great success. But these things do not address the core technical problems of the whole DNS system. --Michael Dillon -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: On-going Internet Emergency and Domain Names
Port 25 is bad. It has been blocked. Port 53 is bad. Some ISPs are already going to block it. How about port 80? I think port 80 should have been the first and only port to block. Let the other ports stay alive. And maby a test for port 42 would be nice. If port 42 is answered by an IEN 116 nameserver then everything is fine. If it is windows nameservice - then shot the guy. Chance is 75% that it is a bot already. If you dont shot him chance is 75% that he will get infected anyhow. Can somebody tell me how to delay this post until midnight your time? I have unlocked the mettre en voyage lever already and the kettle is boiling. I am shure we built staem enough :) Cheers Peter and Karin Gadi Evron wrote: On Sat, 31 Mar 2007, Mikael Abrahamsson wrote: On Sat, 31 Mar 2007, Gadi Evron wrote: In this case, we speak of a problem with DNS, not sendmail, and not bind. The argument can be made that you're trying to solve a windows-problem by implementing blocking in DNS. Next step would be to ask all access providers to block outgoing UDP/53 so people can't use open resolvers or machines set up to act as resolvers for certain DNS information that the botnets need, as per the same analysis that blocking TCP/25 stops spam. So what you're trying to do is a pure stop-gap measure that won't scale in the long run. Fix the real problem instead of trying to bandaid the symptoms. The real problem? Okay, I'd like your ideas than. :) What we are referring to here is not just malware, phishing, DDoS (rings a bell, root servers?) and othr threats. It is about the DNS being manipulated and abused and causing instability across the board, only not in reachability and availability which is the infrastructure risk already being looked after. Hijacking may be resolved by DNS-SEC, this isn't. If an A record with a low TTL can be changed every 10 minutes, that means no matter what the problem is, we can't mitigate it. There are legitimate reasons to do that, though. The CC for a botnet would not disapear, as it would be half way across the world by the time we see it. The only constant is the malicious domain name. If the NS keeps skipping around, that's just plain silly. :) If we are able to take care of all the rest, and DNS becomes the one facet which can rewind the wheel, DNS is the problem. It HAS become an infrastructure for abuse, and it disturbs daily life on the Internet. We'd like solutions and we raised some ideas - we are willing to accept they are not good ones, please help us out with better ones? Or we can look at it from a different perspective: Should bad guys be able to register thousands of domains with amazon and paypal in them every day? Should there be black hat malicious registrars around? Shouldn't there be an abuse route for domain names? One problem at a time, please. Gadi. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Linksys WAG200G - Information disclosure (fwd)
Karin and me have just completed a little test, in case you own such a router. On the IASON homepage http://iason.site.voila.fr scroll down, look for the picture of the two pirates and klick Port 916 Backdoor the file udp916.tgz contains Makefile and sources for test916 router name or ip and in case your router does not answer port 916 udp a little server server-916. The server must be run as root. It will terminate after the first test from the client, telling you at least the query from the client and the name and ip-addresses. Enjoy Peter and Karin Dambier Robert Boyle wrote: At 05:48 PM 3/20/2007, you wrote: I wonder what their security process is for other types of routers? Try [EMAIL PROTECTED] http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html#Problems -Robert -- Forwarded message -- Date: 20 Mar 2007 20:31:01 - From: [EMAIL PROTECTED] To: bugtraq@securityfocus.com Subject: Linksys WAG200G - Information disclosure Hi there, About 2 months ago I bought a wireless ADSL modem/router, the Linksys WAG200G. Just did some basic security checks and to my utter surprise the device responded with about all sensitive information it knows: * Product model * Password webinterface * Username PPPoA * Password PPPoA * SSID * WPA Passphrase I notified Linksys, got some regular support questions and was then assured my concerns would be forwarded to the product engineers. Some weeks later I tried again, same message, silence since then. My firmware version is 1.01.01, latest available for this type. 'Technical' info: Sent a packet to UDP port 916. Answer contains mentioned information. (LAN interface and Wireless interface) Greetings, Daniël Niggebrugge Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Well done is better than well said. - Benjamin Frankli n -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Where are static bogon filters appropriate? was: 96.2.0.0/16 Bogons
http://www.completewhois.com/hijacked/files/203.27.251.0.txt http://www.completewhois.com/hijacked/index.htm This can proof the opposite. Malware comes from redirected allocated blocks, not from bogons. Kind regards Peter and Karin Sean Donelan wrote: On Fri, 2 Mar 2007, Daniel Senie wrote: How do you know, if you're the one being attacked and you have no idea if the originating network or their immediate upstream implemented BCP38? Shall we just discard ingress filtering? If few attacks are using it today, should we declare it no longer relevant? At the same time we should ask if we should be x-raying shoes at the airport, since there's only been one guy who tried to blow up his shoes. The larger security question is, do you stop looking for old threats simply because they're not the most common threats? How many CodeRed packets flow over the Internet on a typical day? I assure you it's not zero. Show me the data. How many CodeRed packets originate from unallocated addresses? Is the proposal actually effective at detecting or protecting against the threat? Or is it just a wasted effort for show? http://www.tsa.gov/press/happenings/kip_hawley_x-ray_remarks.shtm Instead of dropping packets with unallocated sources addresses, perhaps backbones should shutdown interfaces they receive packets from unallocated address space. Would this be more effective at both stopping the sources of unallocated addresses; as well as sources that spoof other addresses because the best way to prevent your interface from being shutdown by backbone operators is to be certain you only transmit packets with your source addresses. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: DNS: Definitely Not Safe?
MARLON BORBA wrote: Security of DNS servers is an issue for network operators, thus pertaining to NANOG on-topics. This article shows a security-officer view of the recent DNS attacks. Despite well-publicized attacks on domain name servers in 2000 and 2001, evidence suggests that many companies simply have not taken the steps necessary to protect this vital part of their networks. Experts differ on just how much danger companies generally face. However, they seem to agree that, depending on the circumstances and the company, the results could include electronic attacks and unknowingly providing confidential information to competitors. I am not shure wether the author isn't walking beside his shoes. DNS is like a telephone book. Yes it is dangerous to have your telephone number listed in a publicly available book. We should forbid telephone books and the world would me much safer? If you are afraid of people using axfr to slave a nameserver then dont publish it. Use /etc/hosts not DNS and best dont tell anybody your ip-address. In some places (Africa ?) root-servers may be difficult to see, so why not clone them and have the root on your local network? If they are attacked again - no problem. Your personal root-server will survive at least a month without them. Of course you need axfr transfers to do that. I dont know how you can use axfr transfers to DoS somebody else but yourself. It is a tcp connection after all. You need to be connected. Overloading electricity supply like the NSA tries to do is a lot more efficent. Rests recursive nameservers, resolvers. Yes, that could help. Forbid all publicly available resolvers including those of your ISP then attackers, mostly running windows in their botnets will not find their targets any longer. The big problem is IT-personal relying on windows for their backbones. You cannot help them, only an attack can. I remember companies used to run their own internal nameservers. Why dont they do it any longer? DNS has become so much more relyable that they dont need to. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
ien116 nameserver on port 42
http://www.isc.org/index.pl?/sources/network/utils/ien116.php Shows how to implement the good old ien 116 nameserver and how to query it. It runs from the inetd. No need to have it waste memory and cpu all the time. Run an ien 116 nameserver at home and query it, using your laptop. Next maintain your /etc/hosts I hope your laptop reads /etc/hosts or the windows hosts file before querying DNS. Mine do. Except for the Mac there is no way short from a firewall to convince your laptop to use another port than 53 for DNS. But why not run your personal dns-server, bind or djbdns. they both can use other ports than 53. Kind regards Peter and Karin Lasher, Donn wrote: If so, how do you configure your client operating system of choice to use the novel, un-proxied ports instead of using port 53? * Set up the profile, to your house/work/etc, of your favorite SSH client to forward port 53 local to port 53 on your remote machine. * Make sure your SSH Profile connects to your house/work/etc via IP, not name * make sure there is some sort of DNS server running on the target of your SSH session * make sure your SSH server supports forwarded ports * connect to your house/work/etc. * repoint your local DNS client config to 127.0.0.1 * browse at will * (don't forget to undo this later or risk losing your sanity) Same type of config works great for HTTP (with squid, and browser proxy settings) etc.. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: broken DNS proxying at public wireless hotspots
I am running djbdns and my own root-server (tinydns) on my laptop. To axfr the root and some other zones, I use port 3001 (Cesidian Root). With cloned (not actually slaved) zones I have no problem at all but others might still get me. I have seen the Mac can use things like nameserver 192.168.208.228:3001 in his /etc/resolv.conf, linux cannot. That is why I have not tried. Anyhow there are not many open resolvers on port 3001. You can run bind on your laptop (even with windows). I dont know if you can tell it to use other ports than 53 for the forwarders - but you have the source. Dig can do it. In case you need ip-addresses for djbdns, try ifconfig lo:1 127.0.1.16 netmask 255.255.255.0 ifconfig lo:1 127.0.2.16 netmask 255.255.255.0 Now you have enough ip-addresses to run dnscache, tinydns and axfrdns on one and the same laptop, even when your ip-address to the wlan is constantly changeing. Cheers Peter and Karin Suresh Ramasubramanian wrote: Right now, I'm on a swisscom eurospot wifi connection at Paris airport, and this - yet again - has a DNS proxy setup so that the first few queries for a host will return some nonsense value like 1.2.3.4, or will return the records for com instead. Some 4 or 5 minutes later, the dns server might actually return the right dns record. ;; -HEADER- opcode: QUERY, status: NOERROR, id: 25634 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 11 ;; QUESTION SECTION: ;www.kcircle.com. IN A ;; AUTHORITY SECTION: com.172573 IN NS j.gtld-servers.net. com.172573 IN NS k.gtld-servers.net. [etc] ;; Query time: 1032 msec ;; SERVER: 192.168.48.1#53(192.168.48.1) ;; WHEN: Sat Feb 3 11:33:07 2007 ;; MSG SIZE rcvd: 433 They're not the first provider I've seen doing this, and the obvious workarounds (setting another NS in resolv.conf, or running a local dns caching resolver) dont work either as all dns traffic is proxied. Sure I could route dns queries out through a ssh tunnel but the latency makes this kind of thing unusable at times. I'm then reduced to hardwiring some critical work server IPs into /etc/hosts What do nanogers usually do when caught in a situation like this? thanks srs -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Ams-ix issues?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jonas Frey wrote: | All sessions up here (29686). I dont see even a single flap within the | last 30 mins and we peer with quite many. | | Cant ping your ip tho: | | [EMAIL PROTECTED] ping 195.69.144.113 | PING 195.69.144.113 (195.69.144.113): 56 data bytes | ^C | --- 195.69.144.113 ping statistics --- | 12 packets transmitted, 0 packets received, 100% packet loss | | Regards, | Jonas | | On Tue, 2007-01-16 at 22:52, Christian Koch wrote: | |Anyone aware of any issues as of right now? Seems I may have lost |connectivity at amsix | | PING 195.69.144.113 (195.69.144.113) from 192.168.48.226 : 56(84) bytes of data. - --- 195.69.144.113 ping statistics --- 7 packets transmitted, 0 received, 100% loss, time 6014ms | /usr/sbin/traceroute 195.69.144.113 traceroute to 195.69.144.113 (195.69.144.113), 30 hops max, 40 byte packets ~ 1 krzach.peter-dambier.de (192.168.48.2) 2.960 ms 3.165 ms 3.774 ms ~ 2 MANX45-erx (217.0.116.41) 53.313 ms 64.280 ms 82.398 ms ~ 3 217.0.66.234(H!) 76.091 ms * * From host_look(84.171.231.46,echnaton.serveftp.com,1420551982). host_name(84.171.231.46,p54ABE72E.dip.t-dialin.net). Cheers Peter and Karin - -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFFrVAFPGG/Vycj6zYRAtw2AJ9nHhjJoB/TpWyukaz4fOXZhAU8mACfTi48 k8cs0YpDJubWE6klh+CbSPY= =pbdZ -END PGP SIGNATURE-
Re: Network end users to pull down 2 gigabytes a day, continuously?
Gian Constantine wrote: Well, yes. My view on this subject is U.S.-centric. In fairness to me, this is NANOG, not AFNOG or EuroNOG or SANOG. I thought Québec and Mexico did belong to the North American Network too. ... I agree there is a market for ethnic and niche content, but it is not the broad market many companies look for. The investment becomes much more of a gamble than marketing the latest and greatest (again debatable :-) ) to the larger market of...well...everyone. There is only a minority in north america who happens to be white and only some of them do speak english. I remember the times when I could watch mexican tv transmitted from a studio in florida. Today everything is crypted on the sats. We have to use the internet when we want someting special here in germany. I guess Karin and me are not the only ones who do net even own a tv set. The internet is the richer choice. Even if it is mostly audio, video is nasty overseas, I am shure it does make an impact in north america. Listening to my VoIP fone is mostly impossible now at least overseas. I used to be able to fone overseas. but even the landline has deteriorated because the fonecompanies have switched to VoIP themselves. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: [dns-operations] WorldNIC nameserver issues
David Ulevitch wrote: We're seeing a number of issues with WorldNIC nameservers failing from multiple points on our network this morning and was wondering if anyone was seeing similar problems. We're seeing issues with: ns47.worldnic.com (domain: cpurocket.com) ns48.worldnic.com (domain: cpurocket.com) ns87.worldnic.com (domain insightcollect.com) ns88.worldnic.com (domain insightcollect.com) and many many more... Seen from Europe, Germany, Darmstadt: check_soa cpurocket.com NS47.WORLDNIC.com has serial number 2006030200 NS48.WORLDNIC.com has serial number 2006030200 check_soa cpurocket.com NS47.WORLDNIC.com has serial number 2006030200 NS48.WORLDNIC.com has serial number 2006030200 check_soa insightcollect.com NS87.WORLDNIC.com has serial number 2006092800 NS88.WORLDNIC.com has serial number 2006092800 check_soa insightcollect.com NS87.WORLDNIC.com has serial number 2006092800 NS88.WORLDNIC.com has serial number 2006092800 No problems here. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Von-Erthal-Strasse 4 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: time.nist.gov
Roy wrote: time.nist.gov (192.43.244.18) seems to be down. I tired it via several different paths. I can't find any notice that this is a planned event. Does anyone have any further info? Roy Nothing found. It was dead yesterday. Now it is working again. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: [offtopic] Topicality debate [my 2 bits]
Hi Gadi, I took the effort and looked into the other postings of some of the guys. I guess they are only keyword or sender envoked bots. I have never seen any positive postings from them. Kind regards Peter and Karin Gadi Evron wrote: On Sat, 23 Sep 2006, John Underhill wrote: -Moderated Approach Create an nanogofftopic@ to give a vent to members. If a post is clearly offtopic and not announced as such, use a 'three strikes your out' approach, first warning and inviting review of list guidelines, then as a last measure cancelling list subscription. Include 'this is offtopic!' responders among offences, and maybe we can reduce some of the list noise. Hi John, thanks for the wise words. I believe our biggest problem is that on topic is not defined. Many here see different issues as operational to them while a few here always yell and scream the minute someone posts that interest. An off-topic list won't help much, if we can't decide, by poll or arbitrary choice, what actually is on-topic. That can later on be followed. Lists evolve, readerships change, and subjects of interest change. But without certain guidelines, I don't see why any crowd should be silenced or any minority with loud voices should silence them. If such a concensus/decision is reached, it will be followed to the letter with the full backing of whoever needs to back itup. Thanks, Gadi. John -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Zimbabwe satellite service shutdown for non-payment
Gadi Evron wrote: On Mon, 18 Sep 2006, Sean Donelan wrote: Intelsat has shutdown the primary satellite link for Zimbabwe's state communications company for non-payment, which has affected most of the ISPs in the country. I can't really blame them. I doubt the Internet is considered critical infrastructure over there yet, and I doubt Intelsat would care... but this is interesting in the sense that even if you can't fault intelsat in any way... Intelsat, Inmarsat, etc. run quite a bit, and if it's a country that gets disconnected, that is a problem even if it's not their problem. Gadi. http://www.itu.int/africainternet2000/countryreports/zwe_e.htm http://www.comone.co.zw/ http://www.telone.co.zw % Information related to '194.133.122.0 - 194.133.122.255' inetnum:194.133.122.0 - 194.133.122.255 netname:TelOne-BLK01 descr: TelOne (formerly ZPTC) country:ZW The nameservers and internet sites can be seen here (europe) but they are slow. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Why is RFC1918 space in public DNS evil?
Matthew Palmer wrote: I've been directed to put all of the internal hosts and such into the public DNS zone for a client. My typical policy is to have a subdomain of the zone served internally, and leave only the publically-reachable hosts in the public zone. But this client, having a large number of hosts on RFC1918 space and a VPN for external people to get to it, is pushing against this somewhat. Their reasoning is that there's no guarantee that forwarding DNS down the VPN will work nicely, and it's overhead. It can make sense: I am sending my mails mostly from lumbamba.peter-dambier.de (192.168.48.226) my router is krzach.peter-dambier.de (192.168.48.2) my mailer is echnaton.peter-dambier.de (192.168.48.228) My traceroute looks ok although some of the hosts are RFC1918 If somebody looks into my email headers they find information that makes sense although they could not ping the hosts. As long as you do not allow AXFR, nobody can see the information about RFC1918 hosts. So there is no risk. Even if they could get the data via AXFR they could not reach the hosts behind nat. I have seen zones allowing AXFR with lots of RFC1918 hosts. I dont see any harm. Leaking routing information would be evil. I know the common wisdom is that putting 192.168 addresses in a public zonefile is right up there with kicking babies who have just had their candy It is common wisdom like the lie about spinach beeing healthy. (It is told spinach contains iron. Well not much really. They mixed up milligrams and micrograms. But it does containt oxal-acid, a deadly poison for babies) stolen, but I'm really struggling to come up with anything more authoritative than just because, now eat your brussel sprouts. My Google-fu isn't working, and none of the reasons I can come up with myself sound particularly convincing. Can someone give a lucid technical explanation, or a link, that explains it to me so I can explain it to Those In Power? Thanks, - Matt Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: i am not a list moderator, but i do have a request
Paul Vixie wrote: which is, please move these threads to a non-SP mailing list. R [ 41: Danny McPherson ] Re: mitigating botnet CCs has become useless R [ 22: Laurence F. Sheldon] R45: Danny McPherson R [ 62: Laurence F. Sheldon] R [ 162: J. Oquendo] Re: [Full-disclosure] what can be done with botnet CC's? R 211: Payam Tarverdyan Ch R [ 66: Michael Nicks ] i already apologized to the moderators for participating in a non-ops thread here. there are plenty of mailing lists for which botnets are on-topic. nanog is not one and should not become one. nanog has other useful purposes. We have already enough botnets DoSsing the net. We dont need nondisclosed botlists DoSsing this forum. We both agree Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: mitigating botnet CCs has become useless
Mikael Abrahamsson wrote: On Tue, 8 Aug 2006, Rick Wesson wrote: Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets. you want to talk economics? Its not complicated to show that mitigating key-logging bots could save American business 2B or 4% of =losses to identity theft -- using FTC loss estimates from 2003 just because an ISP looses some money over transit costs does not equate to the loss american business+consumers are loosing to fraud. I am sure that the total cost would be less if everybody cleaned up their act. It doesn't change the fact that the individual ISP has to spend money it will never see returns on, for this common good to emerge. If the government wants to do this, then I guess it should start demanding responsibility from individuals as well, otherwise I don't see this happening anytime soon. Microsoft has a big cash reserve, perhaps the US government should start demanding them clean up their act and release more secure products, and start fining people who don't use their products responsibly. Oh, and go after the companies installing spyware, in ernest? And to find these, they have to start wiretapping everybody to collect the information they need. I remember working in the sysops group of a big company we made our own law: Leaving your terminal without logoff would cost you a bottle of cognac. Writing your password under the keyboard would cost you a bottle of cognac. ... My boss used to have stomach aches. That is why arround noon you would find most of us in the machine room - sorting tapes :) It was the coldest place in the building. Right to cool down our red faces :) It might be cool if an ISP was to charge his costumers a bottle of Pepsi everytime they got hacked. It might be even more cool if the costumer succeeded to charge Microsoft if they were the culprit :) Otoh this added security might add up to more losses than 2B per year in less functionality and more administration and procedures (overhead), so perhaps those 2B is the price we pay for freedom and liberty in this space? Always hard to find the balance. No more balance after that bottle of cognac :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: small group seeks european IPv6 sceptic for good time
Miquel van Smoorenburg wrote: In article [EMAIL PROTECTED], Jeroen Massar [EMAIL PROTECTED] wrote: * = not even joking, but could somebody set up a free IPv6 p0rn service; that should considerably raise the demand for IPv6 around the globe. I have some nice statistics from users from a certain asian ISP who are looking at some cosy pictures quite often, most likely using IPv6 as the content is blocked over IPv4 as The Great Firewall doesn't support the new protocol yet ;) news://newszilla6.xs4all.nl/ :) Mike. The alternative root community has already had similar ideas. The good thing, governement censoring bastards are not allowed to change their rootservers LOL. IPv6 would even kick the router twisting guys ROFL. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Netgear wgt624 v3 (OT?)
[EMAIL PROTECTED] wrote: Hi, Perhaps not the best place to ask but I thought I would ask here before possibly hitting Netgear (since you have to register) or BUGTRAQ. My Netgear wgt624 v3 allows for port triggering. When I do that, it doesn't seem to work. Port FORWARDING works fine. Port triggering appears completely broken in both their stable firmware and in their beta. Anyone else experience this with their Netgear? http://www.portforward.com/help/porttriggering.htm I guess the problem is timing. Can you provide a continuous datastream to trigger and keep the door open? Portforwarding is much easier. I never got it working :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: traffic from DE to DE goes via NL-UK-US-FR
Andrius Kazimieras Kasparavic(ius wrote: Hi, Just wondering if it is normal for traffic from DE to DE to flow through NL-UK-US-FR and so increase delay nearly 100 times? Traceroute here: http://pastebin.ca/115200 and there is only 4 AS, so ASPATH does not help a lot in finding such links with a horrifying optimisation. I believe there is much worse links, any software to detect this? Something like scanning one ip from larger IP blocks with icmp and comparing geotrajectoyi via geoip? thank you, AKK I remember two peculiarities. Between Amsterdam and London packets were summersolting. The fifth packet arrived before the second. Making VoIP impossible. In the Cyberbunker every IPv4 address gave a different traceroute. Most addresses did not work at all. When I replaced a GrandStream ATA-486 as VoIP gateway and DSL-router by a slow linux box, that mess cleared. Everything working fine and fast. The ICMP in the GrandStream was broken. I guess in the Cyberbunker a local router was broken too. The sh** needed both routers to reach the fan. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Detecting parked domains
Duane Wessels wrote: I am looking for a way that you, or anyone else, could indicate a domain should not be considered in service although the name is registered and has an A record pointing to an active server so when I check that name it doesn't require a human to interpret the results. You might be able to use lack of an SOA record as a hint. In my experience, parked domains often do not have SOA records because the parking companies are lazy. It is a lot easier to put all the parked domains in a parent zone file, or even use a wildcard, rather than have a zone file for each parked name. Duane W. From DNS nutshell or from the DNS and BIND book the programme check_soa peter-dambier.de ns1.peter-dambier.de has serial number 2005050401 ns2.peter-dambier.de has serial number 2005050401 Can do. In the IASON tools there is a hacked version chk1soa ns1.peter-dambier.de peter-dambier.de soa(peter-dambier.de,2005050401,ns1.peter-dambier.de,195.20.224.105). chk1soa m.root-servers.net peter-dambier.de error(peter-dambier.de,m.root-servers.net,202.12.27.33,no soa). IASON compiles on most flavours of unix including Mac OS-X and linux. http://iason.site.voila.fr/ http://www.kokoom.com/iason If you have an idea what is missing you are welcome to send me a private email. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Detecting parked domains
No, it does not look good :) ; DiG 9.1.3 -t any eoileon.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 47446 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;eoileon.com. IN ANY ;; ANSWER SECTION: eoileon.com.172800 IN NS ns11.chestertonholdings.com. eoileon.com.172800 IN NS ns1.chestertonholdings.com. ;; AUTHORITY SECTION: eoileon.com.172800 IN NS ns1.chestertonholdings.com. eoileon.com.172800 IN NS ns11.chestertonholdings.com. ;; ADDITIONAL SECTION: ns1.chestertonholdings.com. 172800 IN A 204.13.160.12 ns11.chestertonholdings.com. 172800 IN A 204.13.161.12 ;; Query time: 146 msec ;; SERVER: 192.168.48.227#53(192.168.48.227) ;; WHEN: Thu Aug 3 20:11:49 2006 ;; MSG SIZE rcvd: 145 No SOA. Of course not. It is my own resolver :) but ; DiG 9.1.3 -t any eoileon.com @ns1.chestertonholdings.com. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60197 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; QUESTION SECTION: ;eoileon.com. IN ANY ;; ANSWER SECTION: eoileon.com.86400 IN A 204.13.161.31 ;; AUTHORITY SECTION: com.86400 IN NS k.gtld-servers.net. com.86400 IN NS l.gtld-servers.net. com.86400 IN NS m.gtld-servers.net. com.86400 IN NS a.gtld-servers.net. com.86400 IN NS b.gtld-servers.net. com.86400 IN NS c.gtld-servers.net. com.86400 IN NS d.gtld-servers.net. com.86400 IN NS e.gtld-servers.net. com.86400 IN NS f.gtld-servers.net. com.86400 IN NS g.gtld-servers.net. com.86400 IN NS h.gtld-servers.net. com.86400 IN NS i.gtld-servers.net. com.86400 IN NS j.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 ;; Query time: 245 msec ;; SERVER: 204.13.160.12#53(ns1.chestertonholdings.com.) ;; WHEN: Thu Aug 3 20:12:12 2006 ;; MSG SIZE rcvd: 501 I wonder why bind did not say lame server? ; DiG 9.1.3 -t any eoileon.com @a.gtld-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 39156 ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;eoileon.com. IN ANY ;; ANSWER SECTION: eoileon.com.172800 IN NS ns1.chestertonholdings.com. eoileon.com.172800 IN NS ns11.chestertonholdings.com. ;; AUTHORITY SECTION: eoileon.com.172800 IN NS ns1.chestertonholdings.com. eoileon.com.172800 IN NS ns11.chestertonholdings.com. ;; ADDITIONAL SECTION: ns1.chestertonholdings.com. 172800 IN A 204.13.160.12 ns11.chestertonholdings.com. 172800 IN A 204.13.161.12 ;; Query time: 160 msec ;; SERVER: 192.5.6.30#53(a.gtld-servers.net) ;; WHEN: Thu Aug 3 20:19:33 2006 ;; MSG SIZE rcvd: 145 And no, they are not authoritative either. check_soa eoileon.com There was no response from ns11.chestertonholdings.com ns1.chestertonholdings.com: expected 1 answer, got 0 ; DiG 9.1.3 -t any eoileon.com @ns11.chestertonholdings.com. ;; global options: printcmd ;; connection timed out; no servers could be reached I should say the domain eoileon.com is at least broken if not broke :) Cheers Peter and Karin Duane Wessels wrote: On Thu, 3 Aug 2006, Joe Abley said: Do you have an example of a parked domain with no SOA record? eoileon.com tri-cityhearald.com Surely for that to work for most of the domains we're talking about, the parking companies would need to be able to insert arbitrary records into zones such as ORG, NET and COM, which isn't something that any of the
Re: mitigating botnet CCs has become useless
Barry Shein wrote: On August 1, 2006 at 11:50 [EMAIL PROTECTED] (Scott Weeks) wrote: ... there has to be a technical way to do this, rather than a diplomatic way as the diplomatic ways historically have not worked in the other areas mentioned, so they probably won't work here, either. Or we have to keep going until one can be contrived. Many good attempts have been made and there will be more to come until we hopefully rid ourselves of the sickness others of lower values force on us daily... I have nothing against technical solutions tho after over ten years of a lot of smart people trying, and a grand prize of probably a billion dollars increase in personal wealth, it doesn't seem forthcoming. Let me try to become Gadi. First of all block port 80 (http) :) Next block port 53 udp (dns). Now you have got rid of amplification attacks because spoofing does no longer work and you have got rid of all those silly users that only know how to click the mouse. Put every client leaking netbios into a sandbox. Dont allow them anything but logon :) However, I do take exception to the assertion that diplomatic ways historically have not worked in other areas mentioned. I think what you mean is that they haven't worked perfectly, but slipped the semantics a little. Surely you didn't mean to say that all efforts to oppose, e.g., the human slave trade have been in vain? The effectiveness has a lot to do with the profitability making the risk worthwhile (e.g., drug trade), and who the crime appeals to; some poor, desparate people will take risks others won't (e.g., high-seas piracy.) Unfortunately all this reasoning might be edifying but it leads nowhere. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Detecting parked domains
Sean Donelan wrote: On Wed, 2 Aug 2006, Florian Weimer wrote: Has anyone come up with a quick method for detecting if a domain name is parked, but is not being used except displaying ads? AFAICT, the main challenge is to define what parked means in the context of your application. There seems to be DNSBL's for every other thing, I was expecting to find one for parked domain names or the server IP addresses used. This was for personal interest, rather than a commercial opportunity. I'm a lousy typist and its unlikely change. But I can write computer applications. I'd rather get a message my application can process rather than relying on a human. My preference is legitimate domain parking firms included a standardized piece of meta-data my application could detect and use as this domain doesn't really exist. Sorta of a variant of the web robots.txt file, but I prefer it to be application independent, instead of assuming everything is HTTP Port 80. Perhaps start with a standard record associated with the parked domain, i.e. _notexist.example.com. For less legitimate domain parking (i.e. typo-squatters), its a different problem. How about creating a database domain(domain_owner,domain_name) and then querying by domain_owner. If the guy has more than 100 he looks like a squatter and can me manually looked at. e.g. 6.ag. 86400 IN NS ns1.sedoparking.com. 6.ag. 86400 IN NS ns2.sedoparking.com. auktion.ag. 86400 IN NS ns1.sedoparking.com. auktion.ag. 86400 IN NS ns2.sedoparking.com. bilder.ag. 86400 IN NS ns1.sedoparking.com. bilder.ag. 86400 IN NS ns2.sedoparking.com. ... tvshop.ag. 86400 IN NS ns1.sedoparking.com. tvshop.ag. 86400 IN NS ns2.sedoparking.com. videothek.ag. 86400 IN NS ns1.sedoparking.com. videothek.ag. 86400 IN NS ns2.sedoparking.com. webhosting.ag. 86400 IN NS ns1.sedoparking.com. webhosting.ag. 86400 IN NS ns2.sedoparking.com. grep | wc says he has 51 lines. I guess it is 26 domains. The name suggests they are parked. 01.ag. 86400 IN NS ns19.schlund.de. 01.ag. 86400 IN NS ns20.schlund.de. 0800fitness.ag. 86400 IN NS ns11.schlund.de. 0800fitness.ag. 86400 IN NS ns12.schlund.de. 1-and-1.ag. 86400 IN NS ns3.schlund.de. 1-and-1.ag. 86400 IN NS ns4.schlund.de. ... zusatzverdienst.ag. 86400 IN NS ns7.schlund.de. zusatzverdienst.ag. 86400 IN NS ns8.schlund.de. zweitmarkt.ag. 86400 IN NS ns25.schlund.de. zweitmarkt.ag. 86400 IN NS ns26.schlund.de. zypern.ag. 86400 IN NS ns21.schlund.de. zypern.ag. 86400 IN NS ns22.schlund.de. grep | wc says 3226 lines. But they are a famous german hoster. I dont think they are squatting. Just for curiousity AG is the german equivalent of PLC or SA in french. I thought the namesevers would do. Maybe the whois gives more help. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: mitigating botnet CCs has become useless
Paul Vixie wrote: [EMAIL PROTECTED] (Scott Weeks) writes: From: Paul Vixie [EMAIL PROTECTED] http://fm.vix.com/internet/security/superbugs.html ... I'd like to see ...jackbooted [US is implied in the text] government thugs...kicking in a door somewhere ... Paul, it is people like you tell us there is still hope in the US :) There is a nuclear bunker between the shelde rivers in the netherlands. The facility used to house an XTC lab and the turkish root - and the police would not dare to kick their doors in because the guys told them they were an indpendent country and threatened to send bombs upon Amsterdam :) And there are other countries in europe were it is a military secret that they are wearing boots and they are able to kick doors in. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Detecting parked domains
Stephane Bortzmeyer wrote: On Tue, Aug 01, 2006 at 03:35:40PM -0400, Sean Donelan [EMAIL PROTECTED] wrote a message of 6 lines which said: Has anyone come up with a quick method for detecting if a domain name is parked, but is not being used except displaying ads? I don't think it is possible: being parked cannot be defined in an algorithmic way. My own domain sources.org does not even have a Web site (and I swear it is not parked). Let's try: * Bayesian filtering on the content of the Web page, after suitable training? * Number of different pages on the site (if n == 1 then the domain is parked)? * (Based on the analysis of many sites, not just one) Content of the page almost identical to the content of many other pages? (Caveat: the Apache default installation page...) Dont forget there are mail only domains. I used to have one. Now it is used to forward html somehow to my real homepage. ; DiG 9.1.3 -t any peter-dambier.de @212.227.123.12 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 28472 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;peter-dambier.de. IN ANY ;; ANSWER SECTION: peter-dambier.de. 86400 IN SOA ns15.schlund.de. hostmaster.schlund.de. 2005050401 28800 7200 604800 86400 peter-dambier.de. 86400 IN NS ns15.schlund.de. peter-dambier.de. 86400 IN NS ns16.schlund.de. peter-dambier.de. 86400 IN MX 10 mx0.gmx.de. peter-dambier.de. 86400 IN MX 10 mx0.gmx.net. peter-dambier.de. 10800 IN A 82.165.62.90 ;; Query time: 63 msec ;; SERVER: 212.227.123.12#53(212.227.123.12) ;; WHEN: Tue Aug 1 22:18:51 2006 ;; MSG SIZE rcvd: 217 HT MLHE AD TI TLEPeter und Karin Dambier/TI TLE /HE AD FR AMESET ROWS=100%,* BORDER=0 FR AMEBORDER=0 FR AME SRC=http://www.peter-dambier.gmxhome.de/; SCROLLING=AUTO NAME=bannerframe NORESIZE /FR AMESET NOF RAMES Peter und Karin Dambier P DI V AL IGN=CENTERA HR EF=http://www.peter-dambier.gmxhome.de/;http://peter-dambier.de//A/D IV /NOF RAMES /HT ML -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: AOL Mail Problem
Tom Quilling wrote: Hi Folks We are an ISP in Germany and experience since this morning, July 27 07:00 GMT problems with all mail-in Servers at AOL. They seem to refuse mailconnections, giving error message 554 for no reason at all, since our servers are not listed in any RBL etc.. We can see, that they extract from the header the original sender IP of a mail, instead of the one from the MAIL-RELAY-SERVER, as specified in RFC. As these senders are from ADSL IP's, AOL refuses them. This is definitely wrong by AOL... Does anybody else experience this Problem.. Regards Tom Quilling Even worse. Except from [EMAIL PROTECTED] I could never ever send emails to AOL. I do not even get bounces. I tried GMX 11 gmail yahoo.ca memor.net (.it) wannado.fr cyberbunker.net (.nl) But dont worry, SPAM gets through. They block only emails :) Cheers Peter abd Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Web typo-correction (Re: Sitefinder II, the sequel...)
Edward B. DREGER wrote: I'm generally ignoring other protocols to limit the discussion scope. However, one can see how SMTP and FTP might be similarly handled. (IMHO not as good as a SRV-ish system that could return NXDOMAIN per service, but actually somewhat usable today.) No, you should not. The other iportant things that come into my mind are mail My thunderbird does use dns, looking for MX records mostly. For me it is the most important application. phone - Either VoIP or Skype they both need dns, looking for NAPTR? The box is hardware. It does not run windows and it has its own resolver onboard. dns --- Some resolvers do not use forwarders. They know whom to query. They will get a hickup if somebody is returning them the wrong ip address for a nameserver (agreed, if you use e.g. djbdns you most likely will not use OpenDNS in the first place) -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Sitefinder II, the sequel...
Having seen a lot cons and little pros, here is my scenario: I am running my own root, a copy of the Cesidan Root plus some TLDs of my own liking, some shared with friends who dont want to risk cache poisoning. I am runnings both djbdns (dnscache with tinydns and axfrdns as root) and Bind 9.4.0.a6 I have seen that my own nameservers are always faster than my ISP's. I like the idea of catching the phishermen before they can catch me, although I am not running Phishermans friend (windows eXPerimental). I have seen with my own eyes on a windowssystem OpenDNS is a MUST. Even if I dont click on install or execute... and I do not trust open MACs too very much either. I do not neccessarily improove speed when using OpenDNS and I am not shure wether I want OpenDNS decide between typos and alt. TLDs. But I still want to catch the phishermen. Does it make sense for me and the mine? Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
...: DA Workshop - ISOI
Gadi Evron wrote: This is a call for papers for a DA Workshop (ISOTF/TISF DA). Its name is: Internet Security Operations and Intelligence Workshop or ISOI for short. DA stands for Drone Armies (botnets), which is the main subject of this workshop. Sorry, I always thought DA stands for Dumbledores Army or Defense against the Dark Arts :) ... communities with the much appreciated help of Cisco Systems, Inc., Isn't that the people we must defend against, with backdoors and nondisclosure agreements and things like that? and is closed to members of the following communities: Looks more like The One Whose Name Must Not Be Spoken Laud than Dumbledore. If you are not a member and would like to attend, feel free to send a request. We would be happy to learn of your interest. No, IASON is ment to stay open source. The workshop is closed to reporters. I am a writer, I think that comes close to a reporter. Maybe another time? Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: NANOG Spam?
Henry Linneweh wrote: I still comment here periodically when it is prudent to do so, I set this email account specifically for Nanog, anticipating spam -Henry sage From: Dominic J. Eidson [EMAIL PROTECTED] To: nanog@merit.edu Sent: Thursday, July 6, 2006 8:14:58 AM Subject: Re: NANOG Spam? On Thu, 6 Jul 2006, Sabri Berisha wrote: On Wed, Jul 05, 2006 at 05:20:04PM -0400, Jim Popovitch wrote: Hi, Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon. So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :) unlurked:) Having very good experiences with spam filters (I have them all switched off :) I did not even see the spam. My manual spamfilter successfully removed them. Yes, I remember spam with nanog in the sender field. I receive a lot of spam from everybody, including myself. That is why it never occured it me it might not have been faked. The question would be - if you're hit by the moderation bit, and post a message that makes it past whatever moderator's criteria.. Do you then lose the moderation bit, since you how have posted within the last 9 months, and thusly have (unmoderated) access? Or maybe this is just an exercise in let's-fly-by-the-seat-of-our-pants... - d. Mine is more a fly-by without pants :) Having been hit by the lurking bit, you most likely have not spammed or that bit would not be set in the first place. Looks like a job for a trunk monkey. Regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Silicon-germanium routers?
David W. Hankins wrote: IBM and Georgia Institute of Technology are experimenting with silicon- germanium, it is said here: http://tinyurl.com/g26bu I find this interesting having just attended NANOG 37 where some manufacturers of network devices told us in a panel that network heat problems weren't going away unless there's a 'next big thing' in manufacturing process. Is this it? Corrolary: If our routers are made of silicon-germanium, would the CLI only operate in Deutsch? Jawoll, es wuerde :) I remember my old radio days. My audion and diode receivers never would work with silicon only with germanium diodes and transistors. The difference is the voltage threshold where the device would start conducting. That is 200 mV for germanium but 800 mV for silicon. Devices running with silicon and 2.4 volts will go down to 600 mV. That means power consumtion will drop to 1/4. The real thing is a bit more complex but for a guesstimation ... Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: on topic?
Paul Vixie wrote: The effect of Nanog is remarkable. All the hybrid cells became fully converted to embryonic stem cells, said Jose Silva of the University of Edinburgh, Scotland, who reported the findings in the journal Nature. http://news.com.com/Gene+may+mean+adult+cells+can+be+reprogrammed/2100-1008_3-6083878.html?tag=nefd.top That is why more people from the old continent have subscribed NANOG than lists.ripe.net :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Tracing network procedure for stolen computers
Colin Johnston wrote: Hi folks, Quick security tracing question, flame me if you think offnetwork topic. Earlier this month my daughters Ibook was stolen, oh well that is life I guess. Anyway updated mail server software for full debug and IP log since noticed that mail account was accessed yesterday. I am now hoping it is access'd again, system was setup to pull each min so when they(thugs) access internet again hopefully will honeytrap IP number. What does one do next ? I guess inform police etc but would this be too slow ?? Do I contact ARIN/RIPE contacts direct ?? I know about software that should have been installed for tracing if stolen but wondered about in the real network world how useful this was and if any items recovered ?? Colin Johnston Satsig sysadmin Apple have their own good ideas. Besides a VoIP phone software or something like no-ip.com is good to permanently know what ip-address the toy has. Knowing the ip you can traceroute to guess what continent, state, province it is, via its final router. The police and the owner of the final router should do the rest. Bad idea :) have some child porn on the box and mail it to the police. They will trace it very fast. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Zebra/linux device production networking?
Nick Burke wrote: Greetings fellow nanogers, How many of you have actually use(d) Zebra/Linux as a routing device (core and/or regional, I'd be interested in both) in a production (read: 99.999% required, hsrp, bgp, dot1q, other goodies) environment? Just have a look for MTU. If you connect home - aDSL - someplace and your MTU is smaller than the aDSL packetsize then your connection is home - adsl - tunnel - someplace That tunnel consists of two routers, linux or whatever. Behind the tunnel you might find some 200 hosts. The speed is 2Meg through the tunnel. It used to connect one /18 and a handful of /24 The two linux boxes were maintained by a guru. They almost never gave problems. Mostly the hardware router behind that tunnel did. I dont know what kind of device it is. All I know is, it seems to know some 8 or more interfaces, hardware or virtual. The installation, a nuclear bunker, used to house some websites and services. (And an XTC-lab :) There are a lot of network bunkers arround. I guess half of them looks the same. Cheers Peter and Karin Dambier -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Botnet List Discussed on NANOG
Sat Mandri wrote: Hi Rick Peter We at Telecom NZ/Xtra are quite keen to learn from you guys how the following Statistical Data on “Botnet” was gathered and what’s the initiative driving it. We look forward to hearing from you guys on this matter. Kind Regards Sat Mandri Hi Sat, I built IASON to check and protect computer centres against attackers. The first thing IASON did was analyzing logs on routers, switches and everything. Next step might be tuning firewalls and switches, if need be, isolating devices from the net. http://iason.site.voila.fr/ http://www.kokoom.com/iason/ I still have a little trouble with https://sourceforge.net/projects/iason/ Taking parts of IASON you can adapt it to count anything, like: Whenever a firewall, an xinetd or or somebody else, sees activity on a port that is known to be notorious for a bot then count and remember that ip-address. That is a crude one but it gives you an overview. With tools like IASON, you could analyze your findings for repeating patterns. Now you can identify the bots even after they change ip-addresses. Why did I build IASON in the first place? Working for companies like GLC, Global Center and Exodus I got tired of watching people in the NOC doing the same thing again and again for hours. Their expertise was not knowledge but pure typing speed. IASON can type much faster and he even has time to read the logs. With the core of IASON programmed in prolog it might even get a clue :) Cheers Peter and Karin -- Forwarded message -- Date: Fri, 26 May 2006 10:21:10 -0700 From: Rick Wesson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Are botnets relevant to NANOG? Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. The first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper [1] The second table is Universities. The ASN concerned are just in the announced by orgs in USA as to imply that they should be on NANOG. Let me say it again the counts are NEW observations in the last 5 days. also note I'm not Gati, and I've got much more data on everyones networks. -rick New compromised unique IP addresses (last 5 days) Tier-2 ASN +---++---+ | asnum | asname | cnt | +---++---+ | 19262 | Verizon Internet Services | 35790 | | 20115 | Charter Communications | 4453 | | 8584 | Barak AS | 3930 | | 5668 | CenturyTel Internet Holdings, Inc. | 2633 | | 12271 | Road Runner| 2485 | | 22291 | Charter Communications | 2039 | | 8113 | VRIS Verizon Internet Services | 1664 | | 6197 | BellSouth Network Solutions, Inc | 1634 | | 6198 | BellSouth Network Solutions, Inc | 1531 | | *9325 | XTRA-AS Telecom XTRA, Auckland | 1415* | | 11351 | Road Runner| 1415 | | 6140 | ImpSat | 1051 | | 7021 | Verizon Internet Services | 961 | | 6350 | Verizon Internet Services | 945 | | 19444 | CHARTER COMMUNICATIONS | 845 | +---++---+ Universities, new unique ip last 5 days +---++-+ | asnum | left(asname,30)| cnt | +---++-+ |14 | Columbia University| 93 | | 3 | MIT-2 Massachusetts Institute | 45 | |73 | University of Washington | 25 | | 7925 | West Virginia Network for Educ | 24 | | 4385 | RIT-3 Rochester Institute of T | 20 | | 23369 | SCOE-5 Sonoma County Office of | 19 | | 5078 | Oklahoma Network for Education | 18 | | 3388 | UNM University of New Mexico | 18 | |55 | University of Pennsylvania | 13 | | 159 | The Ohio State University | 12 | | 104 | University of Colorado at Boul | 12 | | 4265 | CERFN California Education and | 11 | | 693 | University of Notre Dame | 10 | | 2900 | Arizona Tri University Network | 9 | | 2637 | Georgia Institute of Technolog | 9 | +---++-+ [1] http://www.ece.gatech.edu/research/labs/MANIACS/as_taxonomy/ -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788
Re: Botnet List Discussed on NANOG
Hi Sat, your mailer does not like me. If it is interesting for you, please forward. Kind regards Peter and Karin Dambier [EMAIL PROTECTED]: 146.171.13.195_does_not_like_recipient. /Remote_host_said:_554_Service_unavailable; _Client_host_[213.165.64.20]_blocked_using_dnsbl.sorbs.net; _Spam_Received_See: _http://www.sorbs.net/lookup.shtml?213.165.64.20/Giving_up_on_146.171.13.195./ Sat Mandri wrote: Hi Rick Peter We at Telecom NZ/Xtra are quite keen to learn from you guys how the following Statistical Data on “Botnet” was gathered and what’s the initiative driving it. We look forward to hearing from you guys on this matter. Kind Regards Sat Mandri -- Forwarded message -- Date: Fri, 26 May 2006 10:21:10 -0700 From: Rick Wesson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Are botnets relevant to NANOG? Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. The first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper [1] The second table is Universities. The ASN concerned are just in the announced by orgs in USA as to imply that they should be on NANOG. Let me say it again the counts are NEW observations in the last 5 days. also note I'm not Gati, and I've got much more data on everyones networks. -rick New compromised unique IP addresses (last 5 days) Tier-2 ASN +---++---+ | asnum | asname | cnt | +---++---+ | 19262 | Verizon Internet Services | 35790 | | 20115 | Charter Communications | 4453 | | 8584 | Barak AS | 3930 | | 5668 | CenturyTel Internet Holdings, Inc. | 2633 | | 12271 | Road Runner| 2485 | | 22291 | Charter Communications | 2039 | | 8113 | VRIS Verizon Internet Services | 1664 | | 6197 | BellSouth Network Solutions, Inc | 1634 | | 6198 | BellSouth Network Solutions, Inc | 1531 | | *9325 | XTRA-AS Telecom XTRA, Auckland | 1415* | | 11351 | Road Runner| 1415 | | 6140 | ImpSat | 1051 | | 7021 | Verizon Internet Services | 961 | | 6350 | Verizon Internet Services | 945 | | 19444 | CHARTER COMMUNICATIONS | 845 | +---++---+ Universities, new unique ip last 5 days +---++-+ | asnum | left(asname,30)| cnt | +---++-+ |14 | Columbia University| 93 | | 3 | MIT-2 Massachusetts Institute | 45 | |73 | University of Washington | 25 | | 7925 | West Virginia Network for Educ | 24 | | 4385 | RIT-3 Rochester Institute of T | 20 | | 23369 | SCOE-5 Sonoma County Office of | 19 | | 5078 | Oklahoma Network for Education | 18 | | 3388 | UNM University of New Mexico | 18 | |55 | University of Pennsylvania | 13 | | 159 | The Ohio State University | 12 | | 104 | University of Colorado at Boul | 12 | | 4265 | CERFN California Education and | 11 | | 693 | University of Notre Dame | 10 | | 2900 | Arizona Tri University Network | 9 | | 2637 | Georgia Institute of Technolog | 9 | +---++-+ [1] http://www.ece.gatech.edu/research/labs/MANIACS/as_taxonomy/ -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
[EMAIL PROTECTED] wrote: In recent discussions about botnets, some people maintained that botnets (and viruses and worms) are really not a relevant topic for NANOG discussion and are not something that we should be worried about. I think that the CSI and FBI would disagree with that. Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. Now NANOG members cannot change OS security, they can't change corporate security practices, but they can have an impact on botnets because this is where the nefarious activity meets the network. They can. All you have to do is look for free software and join the devellopers or the testers or report whatever you have found out. When working for Exodus and GLC I have seen I could change security practices. I was working in London, Munich and Frankfurt NOCs. Sorry I did not know about NANOG that time. It would have made my live a lot more interesting. Therefore, I conclude that discussions of botnets do belong on the NANOG list as long as the NANOG list is not used as a primary venue for discussing them. Botnets are networks. We should have the network operators on the NANOG list. (I am afraid we do already have them :) One thing that surveys, such as the CSI/FBI Security Survey, cannot do well is to measure the impact of botnet researchers and the people who attempt to shut down botnets. It's similar to the fight against terrorism. I know that there have been 2 terrorist attacks on London since 9/11 but I don't know HOW MANY ATTACKS HAVE BEEN THWARTED. At least two have been publicised but there could be dozens more. Cleaning up botnets is rather like fighting terrorism. At the end, you have nothing to show for it. No news coverage, no big heaps of praise. Most people aren't sure there was ever a problem to begin with. That doesn't mean that the work should stop or that network providers should withold their support for cleaning up the botnet problem. Maybe it is high time for a transparent frog. Invisible for secure systems but as soon as one of the bots tries to infect it, it will ... In case you are not Gadi or working for Gadi, feel free to ignore the tranparent frog. I have never met one :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
John Kristoff wrote: On Fri, 26 May 2006 11:50:21 -0700 Rick Wesson [EMAIL PROTECTED] wrote: The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. I don't know how effective the dynamic lists maintained by some in the anti-spamming community is, you'd probably know better than I, but that is one way as decribed in the paper. In the first section of the paper I cited they lists three methods they used to try to capture stable IP addresses. Summarizing those: 1. reverse map the IP address and analyze the hostname 2. do same for nearby addresses and analyze character difference ratio 3. compare active probes of suspect app with icmp echo response Tool to help you. Try natnum form the IASON tools. $ natnum echnaton.serveftp.com host_look(84.167.246.104,echnaton.serveftp.com,1420293736). host_name(84.167.246.104,p54A7F668.dip.t-dialin.net). You can feed natnum a hostname or an ip-address or even a long integer. If you want to dump an address range use name2pl. $ name2pl 84.167.246.100 8 host_name(84.167.246.100,p54A7F664.dip.t-dialin.net). host_name(84.167.246.101,p54A7F665.dip.t-dialin.net). ... host_name(84.167.246.106,p54A7F66A.dip.t-dialin.net). host_name(84.167.246.107,p54A7F66B.dip.t-dialin.net). Dumps you 8 ip-addresses starting from 84.167.246.100. Without the 8 you will get 256 http://iason.site.voila.fr/ http://www.kokoom.com/ Sorry the sourceforge still gives me hickups :) Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only. None of these will be foolproof and the last one will probably only be good for cases where there is a service running where'd you'd rather there not be and you can test for it (e.g. open relays). There was at least one additional reference to related work in that paper, which leads to more still, but I'll let those interested to do their own research on additional ideas for themselves. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. Will look forward to seeing more. Thanks, John Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
Sean Donelan wrote: On Fri, 26 May 2006, John Kristoff wrote: What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending I worked with Adlex to update their software to identify and track dynamic addresses associated with subscriber RADIUS information. At the time, Adlex (now CompuWare) was the only off-the-shelf software that matched unique subscriber RADIUS instead of just IP address. It is behavior based, so not absolutely 100% accurate, but it is useful for long term trending bot-like unique subscribers instead of dynamic IP addresses. I presented some public numbers at an NSP-SEC BOF. There is a large difference between the number of unique subscribers versus the number of dynamic IP addresses detected by various public detectors. http://www.compuware.com/products/vantage/4920_ENG_HTML.htm Just an afterthought, traceroute and take the final router. I guess for aDSL home users you will find some 8 or 11 routers in germany. My final router never changes. Of course there can hide more than one bad guy behind that router. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: ISP compliance LEAs - tech and logistics [was: snfc21 sniffer docs]
[EMAIL PROTECTED] wrote: The NANOG meeting archives are full of presentations as the result of very sophisticated network monitoring. Like most technology, it can be used for good and evil. You can't tell the motivation just from the technology. OK, so he says in a roundabout way that you are already paying for some sophisticated network monitoring and it probably won't cost you much to just give some data to the authorities. Sean, please drop this subject. You have no experience here and it's annoying that you keep making authoritative claims like you have some operational experience in this area. If you do, please do elaborate and correct me. From what I understand from the folks at SBC, you did not run harassing call, annoyance call, and LAES services. I would appreciate a correction. Huh!?!?!? Are you saying that people should buzz off from the NANOG list if they change jobs and their latest position isn't operational enough? Are you saying that people should not be on the NANOG list unless they have TELEPHONY operational experience? What is the world coming to!? --Michael Dillon The guy wants to say, please raise your eyes above the horizon of your plate and view a not yet existing country named europe. Here our infrastructure is a lot more advanced and we have standardized a common eavesdropping api. That makes sense with shifting points of view from IRA and Basque Separatists to the European Central Bank everybody can use the standart API and start listening. Of course nobody except the European Central Bank is allowed listening, but - who cares? I am told china too is very advanced. But I am shure North America will catch up fast. Or does he mean Operations, the IRA guys who are running the London Docklands eavesdropping facility, that connects europe via the glc fibre? /ranting ? remember where we started ??? Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: ISP compliance LEAs - tech and logistics
[EMAIL PROTECTED] wrote: The guy wants to say, please raise your eyes above the horizon of your plate and view a not yet existing country named europe. Here our infrastructure is a lot more advanced and we have standardized a common eavesdropping api. We have? News to me. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] Institut européen des normes de télécommunication http://portal.etsi.org/docbox/Workshop/GSC/GSC10_RT_Joint_Session/00index.txt Doc. Name: gsc10_joint_10r1 File Name: gsc10_joint_10r1.ppt Title: Lawful Interception standardisation, the status of ETSi LI standards Source: Peter van der Arend, Chairman ETSI TC LI Reserved by: Mr. Julian Pritchard from ETSI Secretariat on 2005-08-29 at 14:02:04 (GMT +01:00) Allocations: 4.3: Security and Lawful Interception Content Type: none specified Abstract: none http://www.gliif.org/LI_standards/ts_102232v010101p.pdf This one gives an overview Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: ISP compliance LEAs - tech and logistics
Christian Kuhtz wrote: On May 24, 2006, at 9:44 AM, [EMAIL PROTECTED] wrote: I see a list of documents. I see no sign that these documents are standards, nor that they are actually *implemented*. I know for a fact that the service provider I work for has not implemented this on the IP side. French and german ISPs keep complaining about what it has cost them and they keep informing us (customers) that it is on us to pay the bill. I remember one german ISP who was helpful enough to mention the cost for spying in his bill. It was a mistake and the money was refunded ... Whenever mailservers are down here in germany somebody mentions the delay is because all email is routed via the german gouvernement again :) Now, now, Steinar, we all know that cannot be true. Case and point, everyone has implemented RFC 3514, just because it has been published as a standard. ;-) Best regards, Christian I just tested my NAT-router and made shure it is RFC 3514 compliant. Yes the NASTY bit is set :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: [Way OT] Re: Geo location to IP mapping
Marshall Eubanks wrote: On May 17, 2006, at 2:09 PM, Scott Weeks wrote: - Original Message Follows - From: Jeff Rosowski [EMAIL PROTECTED] I just tried that, says I'm 100 miles south of where I really am. That's quite a long way out in a small country like England. Only 100 miles? I entered the address of a box I have in Virginia, and it says it's in California. Well at least it got the country right. One of the geolocation thingies said my addresses were in Amsterdam. That's only 10,000 miles from Hawaii. 2500 miles more and that's exactly the opposite side of the planet... ;-) Sometimes knowing which planet you are dealing with can be useful... Regards Marshall scott I am shure it is the right one, but it may be the wrong universe :) Peter -- Peter and Karin Dambier Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: MEDIA: ICANN rejects .xxx domain
[EMAIL PROTECTED] wrote: But there's no technical advantage of a hierarchical system over a simple hashing scheme, they're basically isomorphic other than a hash system can more easily be tuned to a particular distribution goal. Amazing how many experienced people seem to be saying this isn't possible, given there are already schemes out there using flat namespaces for large problems (e.g. Skype, freenet, various file sharing systems). Most of these are also far more dynamic than the DNS in nature, and most have no management overhead with them, you run the software and the namespace just works. djbdns with its hashing technique could do that but Bind 9 would break. There is still the problem wich single point would manage that database. According to your description, this is a hierarchical naming system. At the top level you have Skype, freenet, etc. defining separate namespaces. Because DNS was intended to be a universal naming system, it had to incorporate the hierarchy into the system. However I think the pain in DNS for most people is the hierarchy, but the diverse registration systems. i.e. It isn't that it is delegated, it is that delegates all do their own thing. Seems to me that this is part of the definition of delegate. Some would say that this makes for a more robust system than a monolithic hierarchy where everyone has to toe the party line. I've always pondered doing a flat, simple part of the DNS, or even an overlay, but of course it needs a business model of sorts. It has been tried at least twice and failed. http://www.theregister.co.uk/2002/05/13/realnames_goes_titsup_com/ http://www.idcommons.net --Michael Dillon It seems to work now. Just google for Apple: Rendezvous and Bonjour There are libs for linux and Microsoft too. Both Rendezvous and Bonjour are working. There is an incompatible version from Microsoft too, some say it is vaporware but I can still their queries for '.local' on our nameservers. Cheers Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: MEDIA: ICANN rejects .xxx domain
On 5/11/06, Derek J. Balling [EMAIL PROTECTED] wrote: If you think *that's* why .XXX died, then I have a small bridge to sell you providing access to Manhattan island. Derek, I could use your little bridge for our garden, but I am afraid I cannot pay for it :) Todd Vierling wrote: I'll offer you advice once offered to me. Read the sign on the padded cell: Do not feed the troll. Todd you got it. Sorry I could not resist such a fat chance. Peter's about 51 cards shy of a full deck when it comes to TLDs. I still have a back-of-my-head suspicion that he's a new alter ago of Jim Fleming. g Participating in some of the alternatives I am intersted in what becomes of The Root and what becomes of DNS. I am working together with Joe Baptista on the IASON project. http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ I like some of Jim's ideas, but I never succeded to contact him :) Cheers Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: MEDIA: ICANN rejects .xxx domain
Steve Gibbard wrote: ... Note that there are a lot more TLDs than just .COM, .NET, .ORG, etc. The vast majority of them are geographical rather than divided based on organizational function. For large portions of the world, the local TLD allows domain holders to get a domain paid for in local currency, for a price that's locally affordable, with local DNS servers for the TLD. For gTLDs they'd have to pay in US dollars, at prices that are set for Americans, and have them served far away on the other ends of expensive and flaky International transit connections. -Steve The problem with ccTLDs is the same as with telefone numbers. You lose them as soon as you move. Maybe that is not a problem in north america, but in europe it is. You must live in a country to be allowed to register and keep a domain there. Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: MEDIA: ICANN rejects .xxx domain
So ICANN did come to their senses finally and prevented another collission in balkan namespace :) ; DiG 9.1.3 -t any XXX @TLD2.NEWDOTNET.NET ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34062 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;XXX. IN ANY ;; ANSWER SECTION: XXX.7200IN NS tld1.newdotnet.net. XXX.7200IN NS tld2.newdotnet.net. XXX.86400 IN SOA ns0.newdotnet.net. hostmaster.new.net. 1147374001 86400 300 1500 600 ;; AUTHORITY SECTION: XXX.7200IN NS tld1.newdotnet.net. XXX.7200IN NS tld2.newdotnet.net. ;; ADDITIONAL SECTION: tld1.newdotnet.net. 604800 IN A 66.151.57.201 tld2.newdotnet.net. 604800 IN A 64.211.63.138 ;; Query time: 232 msec ;; SERVER: 64.211.63.138#53(TLD2.NEWDOTNET.NET) ;; WHEN: Thu May 11 21:40:08 2006 ;; MSG SIZE rcvd: 187 Thankyou ICANN for your continued support of alternative roots. Cheers Peter and Karin Dambier william(at)elan.net wrote: http://www.icann.org/announcements/announcement-10may06.htm -- Forwarded message -- Date: Thu, 11 May 2006 08:46:40 -0400 From: David Farber [EMAIL PROTECTED] To: ip@v2.listbox.com Subject: [IP] ICANN rejects .xxx domain Begin forwarded message: As reported in: http://abcnews.go.com/Business/print?id=1947950 ICANN has reversed their earlier preliminary approval, and has now rejected the dot-xxx adult materials top-level domain. I applaud this wise decision by ICANN, which should simultaneously please both anti-porn and free speech proponents, where opposition to the TLD has been intense, though for totally disparate reasons. Nick's AP piece referenced above notes that there are still Congressional efforts to mandate such a TLD. It is important to work toward ensuring that these do not gain traction. --Lauren-- Lauren Weinstein [EMAIL PROTECTED] or [EMAIL PROTECTED] Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, IOIC - International Open Internet Coalition - http://www.ioic.net Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Usage-based billing
ravi wrote: Hello all, read through the charter/guidelines and I believe (hopefully correctly!) that my questions are not out of place. I am looking for advice on usage based billing solutions. I am interested both in the data collector / collection part and the billing part, and would ideally want separation between these two parts (so that the collector could be used with alternate billing systems, including in-house ones). Any suggestions on NetFlow/SFlow use? Tools (apart from Cflowd and flow-tools)? Commercial solutions? What are the general concerns with using NetFlow for billing? I understand I am asking a question that is very wide in scope, but would appreciate even generic pointers in response. Also, Juniper provides a set of alternate Network Accounting Solutions as their response to Flow-based accounting. Any pointers to comparison of their solution with others? Experiences? Implementation documents? Thank you, --ravi How do you count DoS and SPAM? They are not wanted. Do you charge for them? Just a silly user question :) Kind regards Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Google AdSense Crash
Accepted: There was a clue but I did not see it. No, it was not worth ranting about. Sorry for the bandwidth. Cheers Peter and Karin Joel Jaeggli wrote: On Mon, 24 Apr 2006, Henry Linneweh wrote: Maintenance windows are common on most network service providers, have been for years... In what way does that invalidate the fact that I think it wasn't worth reporting? -Henry --- Joel Jaeggli [EMAIL PROTECTED] wrote: On Sun, 23 Apr 2006, Peter Dambier wrote: If I understand you correctly then it does not make sense reporting errors here as long as I dont have a clue. Reporting a google outage here will likely have no effect on the ETR. It is entirely likely that other people on the list will not be able to observe the same outage. People with a clue dont know I have a problem. There is no problem as long as I dont report it. It is in your interest and those of other who depend on a given service to track the availablity of that service. Whether or not mail sent to the nanog lists represents a meaningful sample of google adwords customers is left as an exercise for the reader. That saves a lot of bandwidth urgently needed for ranting :) Have a nice weekend. Cheers Peter and Karin -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2 -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Google AdSense Crash
Joel Jaeggli wrote: ... If one observes enough google outages, one would conclude that they then to be localized, and transient. One might conclude further from that observation, that as an ASP they don't have all their eggs in the same basket. The upshot though is that observers with different vantage points are observing different pieces of infrastructure. I personally would question the utility of reporting on a failure of a service without being able to point at least in direction of the piece that failed. If I understand you correctly then it does not make sense reporting errors here as long as I dont have a clue. People with a clue dont know I have a problem. There is no problem as long as I dont report it. That saves a lot of bandwidth urgently needed for ranting :) Have a nice weekend. Cheers Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
Sorry for the noise again. Yes, you can edit /etc/hosts No, the box does not care. Neither voipd nor multid care for it Apr 13 05:25:17 voipd[402]: Request: SUBSCRIBE sip:[EMAIL PROTECTED] Apr 13 05:25:17 voipd[402]: dns: _sip._udp.sipgate.de: query Apr 13 05:25:17 voipd[402]: dns: _sip._udp.sipgate.de: 0 0 5060 sipgate.de ttl=584 from 192.168.180.1. Apr 13 05:25:17 voipd[402]: dns: sipgate.de: query Apr 13 05:25:17 voipd[402]: dns: sipgate.de: 217.10.79.9 ttl=4786 from 192.168.180.1. Apr 13 05:25:18 voipd[402]: Status: 200 OK Apr 13 02:27:25 multid[360]: dns: 0.europe.pool.ntp.org: query Apr 13 02:27:25 multid[360]: dns: 0.europe.pool.ntp.org: 85.214.32.50 ttl=1619 from 192.168.180.1. Apr 13 02:27:25 multid[360]: sending SNTP request to server 0.europe.pool.ntp.org (85.214.32.50) Apr 13 02:27:25 multid[360]: The NTP time is 13.4.2006 00:27:24.133000 UTC Apr 13 02:27:25 multid[360]: system time is 1.02 seconds ahead Apr 13 02:27:25 multid[360]: adjusting time backward 1.02 seconds Regards, Peter and Karin Peter Dambier wrote: Just for curiousity, you can change it. /etc/hosts is a link /etc/hosts - ../var/tmp/hosts you can edit but you cannot permanently save it. cat /etc/hosts 127.0.0.1 localhost 192.168.178.1 fritz.box 217.10.79.8 0.europe.pool.ntp.org ntp.sipgate.de Now I dont bother pool.ntp.org but ask my sip provider. That trick might work for the D-Link too. Of course 0.europe.pool.ntp.org is alright but that ntp server D-Link has is not. You have to insert the hostname plus ip into /var/tmp/hosts or the box will ask DNS. Cheers Peter and Karin Peter Dambier wrote: From my Fritzbox log: Apr 12 06:27:29 multid[360]: dns: 0.europe.pool.ntp.org: query Apr 12 06:27:30 multid[360]: dns: 0.europe.pool.ntp.org: 82.71.9.63 ttl=79 from 192.168.180.1. Apr 12 06:27:30 multid[360]: sending SNTP request to server 0.europe.pool.ntp.org (82.71.9.63) Apr 12 06:27:30 multid[360]: The NTP time is 12.4.2006 04:27:29.15 UTC Apr 12 06:27:30 multid[360]: system time is 1.007000 seconds ahead Apr 12 06:27:30 multid[360]: adjusting time backward 1.007000 seconds Seems to do that every 8 hours. I could not find a config file. Compiled into /sbin/multid ? I guess similar devices like the maudit D-Link are much the same. Only that multid deamon seems to be AVM specific. If that NTP thing is from the non disclosed und unGPLed TI source then best forget about it. Replace it by some wellknown software that is known not to be nasty. Another router that is not compatible and not especially a good router - has an html interface where you can put it your favourite NTP server. I still wonder why I cannot configure the NTP server but at least it is not as nasty as the D-Link. Peter Stephane Bortzmeyer wrote: On Tue, Apr 11, 2006 at 10:01:10PM +, Edward B. DREGER [EMAIL PROTECTED] wrote a message of 27 lines which said: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. It already exists (Security warning: do not use it on strategic machine, there is no warranty that these servers are trustful): http://www.pool.ntp.org/ Active server count on 2006-04-12 Africa 1 Asia 24 Europe 368 North America 223 Oceania 26 South America 7 Global 582 All Pool Servers 653 The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers. Adrian von Bidder created this project after a discussion about resource consumption on the big timeservers, with the idea that for everyday use a DNS round robin would be good enough, and would allow spreading the load over many servers. The disadvantage is, of course, that you may occasionally get a bad server and that you usually won't get the server closest to you. The workarounds for this is respectively to make sure you configure at least three servers in your ntp.conf and to use the country zones (for example 0.us.pool.ntp.org) rather than the global zone (for example 0.pool.ntp.org). Read more on using the pool. The pool is now enormously popular, being used by at least hundreds of thousands and maybe even millions of systems around the world. The pool project is now being maintained by Ask Bjørn Hansen and a great group of contributors on the mailing lists. -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
From my Fritzbox log: Apr 12 06:27:29 multid[360]: dns: 0.europe.pool.ntp.org: query Apr 12 06:27:30 multid[360]: dns: 0.europe.pool.ntp.org: 82.71.9.63 ttl=79 from 192.168.180.1. Apr 12 06:27:30 multid[360]: sending SNTP request to server 0.europe.pool.ntp.org (82.71.9.63) Apr 12 06:27:30 multid[360]: The NTP time is 12.4.2006 04:27:29.15 UTC Apr 12 06:27:30 multid[360]: system time is 1.007000 seconds ahead Apr 12 06:27:30 multid[360]: adjusting time backward 1.007000 seconds Seems to do that every 8 hours. I could not find a config file. Compiled into /sbin/multid ? I guess similar devices like the maudit D-Link are much the same. Only that multid deamon seems to be AVM specific. If that NTP thing is from the non disclosed und unGPLed TI source then best forget about it. Replace it by some wellknown software that is known not to be nasty. Another router that is not compatible and not especially a good router - has an html interface where you can put it your favourite NTP server. I still wonder why I cannot configure the NTP server but at least it is not as nasty as the D-Link. Peter Stephane Bortzmeyer wrote: On Tue, Apr 11, 2006 at 10:01:10PM +, Edward B. DREGER [EMAIL PROTECTED] wrote a message of 27 lines which said: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. It already exists (Security warning: do not use it on strategic machine, there is no warranty that these servers are trustful): http://www.pool.ntp.org/ Active server count on 2006-04-12 Africa 1 Asia24 Europe 368 North America 223 Oceania 26 South America 7 Global 582 All Pool Servers653 The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers. Adrian von Bidder created this project after a discussion about resource consumption on the big timeservers, with the idea that for everyday use a DNS round robin would be good enough, and would allow spreading the load over many servers. The disadvantage is, of course, that you may occasionally get a bad server and that you usually won't get the server closest to you. The workarounds for this is respectively to make sure you configure at least three servers in your ntp.conf and to use the country zones (for example 0.us.pool.ntp.org) rather than the global zone (for example 0.pool.ntp.org). Read more on using the pool. The pool is now enormously popular, being used by at least hundreds of thousands and maybe even millions of systems around the world. The pool project is now being maintained by Ask Bjørn Hansen and a great group of contributors on the mailing lists. -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
Just for curiousity, you can change it. /etc/hosts is a link /etc/hosts - ../var/tmp/hosts you can edit but you cannot permanently save it. cat /etc/hosts 127.0.0.1 localhost 192.168.178.1 fritz.box 217.10.79.8 0.europe.pool.ntp.org ntp.sipgate.de Now I dont bother pool.ntp.org but ask my sip provider. That trick might work for the D-Link too. Of course 0.europe.pool.ntp.org is alright but that ntp server D-Link has is not. You have to insert the hostname plus ip into /var/tmp/hosts or the box will ask DNS. Cheers Peter and Karin Peter Dambier wrote: From my Fritzbox log: Apr 12 06:27:29 multid[360]: dns: 0.europe.pool.ntp.org: query Apr 12 06:27:30 multid[360]: dns: 0.europe.pool.ntp.org: 82.71.9.63 ttl=79 from 192.168.180.1. Apr 12 06:27:30 multid[360]: sending SNTP request to server 0.europe.pool.ntp.org (82.71.9.63) Apr 12 06:27:30 multid[360]: The NTP time is 12.4.2006 04:27:29.15 UTC Apr 12 06:27:30 multid[360]: system time is 1.007000 seconds ahead Apr 12 06:27:30 multid[360]: adjusting time backward 1.007000 seconds Seems to do that every 8 hours. I could not find a config file. Compiled into /sbin/multid ? I guess similar devices like the maudit D-Link are much the same. Only that multid deamon seems to be AVM specific. If that NTP thing is from the non disclosed und unGPLed TI source then best forget about it. Replace it by some wellknown software that is known not to be nasty. Another router that is not compatible and not especially a good router - has an html interface where you can put it your favourite NTP server. I still wonder why I cannot configure the NTP server but at least it is not as nasty as the D-Link. Peter Stephane Bortzmeyer wrote: On Tue, Apr 11, 2006 at 10:01:10PM +, Edward B. DREGER [EMAIL PROTECTED] wrote a message of 27 lines which said: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. It already exists (Security warning: do not use it on strategic machine, there is no warranty that these servers are trustful): http://www.pool.ntp.org/ Active server count on 2006-04-12 Africa 1 Asia 24 Europe 368 North America 223 Oceania 26 South America 7 Global 582 All Pool Servers 653 The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers. Adrian von Bidder created this project after a discussion about resource consumption on the big timeservers, with the idea that for everyday use a DNS round robin would be good enough, and would allow spreading the load over many servers. The disadvantage is, of course, that you may occasionally get a bad server and that you usually won't get the server closest to you. The workarounds for this is respectively to make sure you configure at least three servers in your ntp.conf and to use the country zones (for example 0.us.pool.ntp.org) rather than the global zone (for example 0.pool.ntp.org). Read more on using the pool. The pool is now enormously popular, being used by at least hundreds of thousands and maybe even millions of systems around the world. The pool project is now being maintained by Ask Bjørn Hansen and a great group of contributors on the mailing lists. -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Security control in DSL access network
Hi, I am connected to this monster. I guesstimate it serves some 80,000 customers: Access-Concentrator: DARX41-erx AC-Ethernet-Address: 00:04:0e:6d:8a:42 link capacity kBit/s 8512 1048 ATM-DataratekBit/s 1184 160 usable-Datarate kBit/s 1073 145 interleaved Latenz ms 16 16 Frame Coding Rate kBit/s 32 32 FEC Coding Rate kBit/s 128 32 Trellis Coding Rate kBit/s 360 60 1 gw1.selm-media.de (192.168.55.1) 3.226 ms 3.539 ms 3.529 ms 2 DARX41-erx (217.0.116.49) 45.533 ms 48.356 ms 49.283 ms 3 p54A7E732.dip.t-dialin.net (84.167.231.50)(N!) 101.063 ms (N!) 106.199 ms (N!) 111.359 ms 1 krzach.peter-dambier.de (192.168.48.2) 0.735 ms 1.176 ms 1.285 ms 2 DARX41-erx (217.0.116.49) 55.232 ms 62.911 ms 79.945 ms 3 p54A7BED2.dip0.t-ipconnect.de (84.167.190.210)(N!) 116.538 ms (N!) 124.900 ms (N!) 133.240 ms The two sites are some 50 kilometers separate and are served by different ISPs (t-online.de, 1und1.de). The ip-address range is always 84.167.xxx.xxx but it depends on the ISP. The DARX41-erx (217.0.116.49) belongs to dtag.de Deutsche Telekom AG. Some 8 of these boxes, Juniper erx, serve practily most of germany. I cannot tell you wether this is a DSLAM or a BRX but I guess it is both in a single one box. Cheers Peter and Karin Christian Kuhtz wrote: Maybe you're just baiting trolls, and granted, I haven't had my coffee yet. But let's try to be perfectly straight up here. At the very least, you're making a big assumption here, and that is that there are no EMS in charge of managing configurations and no provisioning system to trigger and not triggering EMS configuration management. In effect, service provisioning doesn't exist in what you describe. While OSS in carrier settings often -- put politely -- leave a lot to be desired, that is -- politely put -- a bit absurd. That would seem to be a very flawed at scale when you're talking 10's of thousands of DSLAMs, not to mention that it is really not matching reality in a carrier setting (rather than small time provider or other type of hack). There may have been periods in the past where that was true, but it is certainly not state of the art during any period of the recent past. This type of provisioning actually has been around as flow through provisioning for a while, and the flow specifically touches the port a customer would be provisioned on. The day this functionality arrived seems to generally have coincided within a relatively short period around offering variable DSL sync speeds, and it would simply be a business necessity for offering such service variants. Quite frankly, in such a world, anything more than a field crew making the device available to NMS is total overkill and a waste of time, multiplied by 10K's of DSLAMs, for a few actually provisioned customers. Btw, if you don't mind, please point out to me a large scale deployment that actually has 10's of thousands of live customers on a single DSLAM or which DSLAM you propose this is even physically possible, as well as anticipated engineered bit rates for such a deployment. Best regards, Christian On Mar 27, 2006, at 8:21 AM, William Caban wrote: I could add that many of the implementations are done using professional services of whoever the manufacturer of the DSLAM is and it is a very simple and weak configuration. They make sure it works and thats it. No attention is given to security or performance in any form. Now, I should also mention that the reason for this is that the providers usually only pay for this basic configuration and think or assume they can do the rest. The problem is that a DSLAM configuration can become so huge once the service start rolling that it is hard for any one to go back a fix the configurations because of the impact it may have to the clients. It is not impossible to fix, it will just have an impact to all the clients arriving to the same DSLAM and this can be counted in tens of thousands of clients. So the solution is to do it right from the beginning. -W Sean Donelan wrote: On Sun, 26 Mar 2006, Joe Shen wrote: Is there any books or papers on carrier level DSL access network and LAN access network? Specifically, it should analysis the futures of DSL network and security problems in DSL networks. You probably want to start with the DSL Forum http:// www.dslforum.org/ After you get through their technical reports you should be very confused. A problem you will discover is often the DSL folks don't think they have any security problems. That all the security issues are with IP and the ISP. -- William Caban-Babilonia Senior Network System Consultant Mobil: 787 378-7602 -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP:
Re: DNS Amplification Attacks
Please dont take ICANN censoring XN--55QX5D., XN--FIQS8S. and XN--IO0A7I. serious. Ment as a joke. Did not make it. Sorry! Joseph S D Yao wrote: You keep using that word. I do not think it means what you think it means. My dictionary says censor is from latin. A magistrate, lets call him a polititian like http://odem.org/akteure/juergen-buessow.de.html http://www.wdr.de/themen/politik/nrw/demo_internetzensur/index.jhtml http://www.heise.de/tp/r4/artikel/12/12733/1.html Sorry I have this guy only in german. This guy odered some local ISPs to making sites unavailable mostly by forging DNS entries kept in their local resolvers. I was told by peoply unvolontarily working for him that more than 6000 sites were involved. Quite a lot of them collateral damage. The latin version says this guy is taking things out of books so the ordinary roman was not annoyed by distateful things. I guess you see the irony. Büssow ment to keep journalists from seeing sites in the USA and Canada that would be prosecuted in Germany. His helpers felt invited to do a lot more good and played some tricks on their friends. In Germany we do not pick a leave from a tree. We cut the tree and dig out the root. If you have to live with a resolver that is answering as slowly as this one ; DiG 9.1.3 www.peter-dambier.de @www-proxy.UL1.srv.t-online.de ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1092 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.peter-dambier.de. IN A ;; ANSWER SECTION: www.peter-dambier.de. 6000IN A 82.165.62.90 ;; Query time: 2118 msec ;; SERVER: 217.237.150.141#53(www-proxy.UL1.srv.t-online.de) ;; WHEN: Thu Mar 23 13:59:57 2006 ;; MSG SIZE rcvd: 54 my local ISP, then you feel tempted to use a foraign resolver. So for me running my own independent resolver was a must. But many of my colleages are not computerscience people. Many of the poor buggers are running some flavour of windows. For them it is life behind the big chinese firewall if they cannot find an open resolver. Please excuse if I overreact a bit on this matter. Cheers Peter and Karin (Karin is a writer too, but she is not the computer woman :) -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: DNS Amplification Attacks
Florian Weimer wrote: * Peter Dambier: In germany censoring is commonplace. You have to use foraign resolvers to escape it. There is a lot collateral dammage too - governement has provided the tools. This is not true. There has been some questionable advice by a regulatory body, though. Most damage is done by ISPs which simply do not adjust the filters to the moving target and run them as-is since 2001 or so. Null routes tend to filter a different customer after such a long time. Here it is documented. Sorry it is in german only: http://odem.org/informationsfreiheit/ http://www.ccc.de/censorship/?language=de http://www.netzzensur.de/demo/ http://www.politik-digital.de/edemocracy/netzrecht/dorf.shtml http://www.zdnet.de/news/software/0,39023144,2124117,00.htm A local city chieftain could claim ownership of an internet site located in the USA and even capture their emails. As far as I am informed the censorship at some ISPs is still active but they claim no longer to be their mailhost. I was informed of this DNS forgery because of the collateral damage done. Several sites where censored and could only escape by changeing providers. At least one of the providers is bankrupt today. I dont know if censoring was the reason why. How about alternative roots? ICANN does censor XN--55QX5D., XN--FIQS8S. and XN--IO0A7I. already. You must use alternative roots to exchange emails with people living in those domains. Unfortunately, they also censor ENYO.. That is the reason why :) Nevertheless I could see the site http://www.enyo/; after adding 212.9.189.164 www.enyo enyo to my /etc/hosts Maybe even could send you emails? Kind regards Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: DNS Amplification Attacks
Florian Weimer wrote: * Andy Davidson: DNS looking glasses, in much the same way that we use web-form based BGP or traceroute looking glasses today. Open resolvers are far better then looking glasses to assess the state of DNS, and we are campaigning against them. You can't have it both ways. 8-( It is not as good as an open resolver but maybe IEN116 nameservers (the old port 42 nameserver) could do too but maybe some windows boxes would break. Originally the port 42 nameserver was left for dying but with AXFR gone and open resolvers gone it might be a good idea to give them a revival. Cheers Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: DNS Amplification Attacks
Joseph S D Yao wrote: On Mon, Mar 20, 2006 at 11:30:46PM +0200, Gadi Evron wrote: ... Where did that come from? I respect you but please, let's have a technical discussion. This is important enough for us all to avoid the flame-wars for now. Don't move this thread to politics or lunacies. ... Then leave governments out of it, and re-phrase the question in this way. If one can not run one's own DNS server on the public Internet, but must rely on a DNS service supplier for your DNS, and at some point you start to wonder about the technical competence or correct configura- tion of the DNS service supplier whose DNS you are configured to use, and all other DNS servers out there are configured to refuse recursive service except perhaps to their own population, than against what can you compare the DNS service that you are getting, to see whether it is giving you what the world should be seeing? That is exactly what worries me. In germany censoring is commonplace. You have to use foraign resolvers to escape it. There is a lot collateral dammage too - governement has provided the tools. Corrupt people use it to play tricks on their friends. How about alternative roots? ICANN does censor XN--55QX5D., XN--FIQS8S. and XN--IO0A7I. already. You must use alternative roots to exchange emails with people living in those domains. Banning open resolvers means censoring for a lot of people, at least if they cannot run their own servers. Regards Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Security problem in PPPoE connection
Joe Shen wrote: Hi, We are facing problem with PPPoE in ethernet access network. To provide high speed access, 10Mbps/100Mbps ethernet is used as access method. But, we found some guy 'steal' some other's account by listening to broadcasting packets, and they also set up 'phishing' PPPoE server to catch those PPPoE authentication packets. With ATM DSLAM,we could solve this by binding account with PVC. With ethernet, although we could seperate subscribers into VLANs there is more than 100 subscribers within one VLAN. What's your method to deal with such problem? Will CHAP in PPPoE help? thanks Joe http://www.juniper.net/products/eseries/ Hi Joe, I am connected through this one: Access-Concentrator: DARX41-erx AC-Ethernet-Address: 00:90:1a:a0:01:46 -- I guess dtag.de has got some 8 of them. Everybody (almost) offering dsl in germany goes through their infrastructure. The ip address range 84.167.0.0/16 seems to be shared by all of them. I did have an intruder myself reported by arpwatch. host_look(192.168.20.80,fluffy.n,3232240720). host_name(192.168.20.80,fluffy.n). That thing is a PPPoE modem looking like a bridge. It allows different people behind it to access the DARX41-erx using different mac addresses (client) and userid/passwords to access each their own ISPs. All of these boxes have the same ip-address. If a box finds anotherone via arp then it shuts down. To prevent broadcast storms? That box made me look very carefully at PPPoE but I never have seen anything but the packets that were sent to me only. I did supply a PPPoE server. It never saw anybody access it but my own machines. I tried to reach my neighbar an to build a private communications channel. Never could we see eachother. I guess dtag.de feels so secure with them that they dont enable chap. Using chap will help you but it will not solve the real problem. At least you will make the poor fishermen angry - but maybe nasty too. Have a look at http://iason.site.voila.fr/ http://www.koom.com/iason/ There are some tools that might help you tracking those people via their mac-addresses. Chance is good you might make some friends. You can alwys need some people with a clue, cant you :) Kind regards Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Italy is promoting djbdns
Marco d'Itri wrote: On Mar 06, Rodney Joffe [EMAIL PROTECTED] wrote: It appears that Italy has ordered Italian ISPs to block access to a number of Internet Gambling sites. It would be interesting to see how the Italian ISPs are handling this, what with dynamic DNS and all that... So far, the method officially recommended by the government entity involved with collecting the gambling fees has been to create fake zones on the caching resolvers of the large consumer ISPs. I always think of italy as a more liberal country than the rest of europe. I hope this will change the dns world once and forever. It is not so hard to build your own dns server. The rest of us can buy routers with builtin antizensoring dns resolvers. It makes sense running your own dns. It is faster than the gift (poison) dns from your ISP. Nasty: english gift, means poison in germany :) It does not matter wether u youse bind or djbdns. Do use it! Operationally, I wonder how many ISPs will bother removing these zones when the law will be repealed (because there is no chance that it will stand before the european courts). Italy has a name to loose for unzensored internet. I hope they dont ruin it. From a more practical POV, it can be noted that the obvious methods useful to bypass the block (using a random open proxy or just a random open resolver) have been widely advertised on gambling forums even before it was implemented. Personally I do not believe that the government ever believed that this would work, it's just a trick to add some extra future earnings to the 2006 budget law. Kind regards Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Presumed RF Interference
Randy Bush wrote: Cut the ground wire in your power cords but ground the equipment directly to a metal frame. i strongly recommend that you do this, especially in your 240vac environment. excellent solution to a lot of problems. randy I agree, dont propose this to a wood logger :) But yes, I did. I have seen an installation where ground was floating somewhere at 110 Volts AC. There was no way to tame it. We had to cut it. Ofcourse we did it not on the wire but in the sockets and we got a reasonable ground before we did. Dont read in the books - and dont tell a lawer :) The soil was extremly dry (not in europe) and the powerline was extremly long... Regards Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: GoDaddy.com shuts down entire data center?
Greg Boehnlein wrote: On Mon, 16 Jan 2006, Martin Hannigan wrote: Here's the story on the big outage. http://marc.perkel.com/index.html Here's another recorded conversation. (Can you do this in NJ?) http://marc.perkel.com/audio/godaddy2.mp3 The GoDaddy folks are well trained. Kudos. While I do believe that GoDaddy appears to have some sloppy policies and procedures, if you listen to both conversations, you will find that GoDaddy followed a procedure to deal with the issue, and the caller patently refused to follow it. If I have read it correctly then nectartech has followed the procedures by email after cleaning the phishing computer. But GoDaddy did not ack nectartechs emails. GoDaddy claimed again and again the system was spamming/phishing when in reality the system was switched off. What else could they do? -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Compromised machines liable for damage?
Gadi Evron wrote: On Sun, 25 Dec 2005, Dave Pooser wrote: This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients. As a practical matter, I'd expect it to be difficult to try. Convincing a jury that running a PHP version that's three months out of date constitutes gross negligence because you should have read about the vulnerability on the Web might be... tricky. Especially when you have to explain to the jury what PHP is. Dueling expert witnesses arguing about best practice, poor confused webmaster/Amway distributor looking bewildered at all this technical talk (I figgered I just buy Plesk and I was good to go. I dunno nothin' about PHP. Isn't that a drug?) Not to mention working out what percentage of the damages you suffered should come from each host. But yeah, I'd like to see it tried. Lawyering up is one of our core competencies here in the USA; maybe we could use it for good instead of evil. I'd like to bring some conclusions from past discussions on this issue to the table. First, holding a person liable while he had no way of knowing he is doing something wrong is not right. Still, you know what they say about not knowing the law and punishment. There are two somewhat interesting metaphopres that explain contradicting views: 1. The gun owner: If you own a gun, it is your duty to keep it safe. If it is stolen, you will be punished to differing degrees depending on country. From never owning a gun again or maybe a slap on the wrist... to going to jail. If your gun is used in a crime such as say, murder, you can be held liable for not keeping your gun safe or maybe even confused for the actual criminal. You may also be the criminal (anyone remembers the Trojan horse defense? I was hacked! It wasn't me who did that from my computer!). 2. Some believe that equating a gun to a computer is just wrong. Another metaphore might be a stolen car, or some completely different ones. Still, today people do not have a quick and eay way of protecting their computers... and before anyone can start talking about ISP's and other organizations, one would be forced to talk about STANDARTISATION for the ISP industry, and so on. Banks today don't follow standards, they follow regulations. If they fail to, they are liable. Same for the insurance industry in some countries. I am not really sure what the best solution is here or what will cause more harm than good... but I am sure that from the complete lack of care that involved compromised computers to the complete kill-future when kiddie porn is involved, a solution can be found. One has to remember though that law enforcement is limited in resources, and millions on millions of compromised machines just are not a priority on rape or murder. Gadi. Take a car for example. Somebody is stealing your car. He gets photographed crossing a red traffic light and there is an accident. You dont get punished for the read traffic light but you still have to pay for the accident. Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Awful quiet?
Jim Popovitch wrote: I miss the endless debates. Is *everyone* Christmas shopping? Here's a thought to ponder With the thousands of datacenters that exist with IPv4 cores, what will it take to get them to move all of their infrastructure and customers to IPv6? Can it even be done or will they just run IPv6 to the core and proxy the rest? -Jim P. Looking at my own datacenter: Unifix Linux 2.0.0 No it will never move. Eisfair, kernel 2.2.x My router and my dns, ftp, remote shell No they will probably never move. Suse Linux 8.3 (kernel 2.4.x) my workstation Used to have its IPv6 enabled. Gave me problems with connectivity. I dont have IPv6 to the outside so I had to disable the stack. Runs a lot smoother now. It tooks me week to get the IPv6 stack running in the first place. I tried ISODE 8.0 recently. It still works on all my computers. I could even connect to a friend who also tried ISODE 8.0 It works through IPv4. What happened to ISO? I guess that is what will finally happen to IPv6. I used to have a local IPv6 network running. But with site-local and link-local disappearing the configuration became invalid. Not having valid IPv6 addresses any longer I did not get a headache when I took my IPv6 stack down. My log looks cleaner. No more complaints from my DNS server. Now I am looking forward to what will come after IPv6. :) Merry Christmess Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Fergies friends
Is this personal or just a creative way of sending spam? It could have been anybody hitting the send this article to a friend button. Nevertheless, you might be able to find the guys ip, if he really angers you. Maybe his boss is on the list too :) Cheers Peter and Karin === Received: from tribuneinteractive.com (s89.tribuneinteractive.com [12.130.90.37]) by fiji.merit.edu (Postfix) with ESMTP id 856EA18B4 for nanog@merit.edu; Fri, 16 Dec 2005 02:26:54 -0500 (EST) Received: from s79 (s79.rc.trb [192.168.120.78]) by tribuneinteractive.com (8.12.10/8.12.8) with ESMTP id jBG7Qs6E017130 for nanog@merit.edu; Thu, 15 Dec 2005 23:26:54 -0800 (PST) Message-ID: [EMAIL PROTECTED] Received: from tribuneinteractive.com (s89.tribuneinteractive.com [12.130.90.37]) by fiji.merit.edu (Postfix) with ESMTP id 93DD617D6 for nanog@merit.edu; Fri, 16 Dec 2005 02:24:28 -0500 (EST) Received: from s79 (s79.rc.trb [192.168.120.78]) by tribuneinteractive.com (8.12.10/8.12.8) with ESMTP id jBG7OR6E017004 for nanog@merit.edu; Thu, 15 Dec 2005 23:24:27 -0800 (PST) Message-ID: [EMAIL PROTECTED] Received: from tribuneinteractive.com (s89.tribuneinteractive.com [12.130.90.37]) by fiji.merit.edu (Postfix) with ESMTP id E4F3A17D6 for nanog@merit.edu; Fri, 16 Dec 2005 02:26:32 -0500 (EST) Received: from s79 (s79.rc.trb [192.168.120.78]) by tribuneinteractive.com (8.12.10/8.12.8) with ESMTP id jBG7QW6E017114 for nanog@merit.edu; Thu, 15 Dec 2005 23:26:32 -0800 (PST) Message-ID: [EMAIL PROTECTED] The admin of ; DiG 9.1.3 -t any s89.tribuneinteractive.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 22482 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;s89.tribuneinteractive.com.IN ANY ;; ANSWER SECTION: s89.tribuneinteractive.com. 300 IN A 12.130.90.37 ;; AUTHORITY SECTION: tribuneinteractive.com. 300 IN NS chisun2.tribune.com. tribuneinteractive.com. 300 IN NS latsun6.tribune.com. tribuneinteractive.com. 300 IN NS ns-east.cerf.net. tribuneinteractive.com. 300 IN NS ns-west.cerf.net. ;; ADDITIONAL SECTION: chisun2.tribune.com.170593 IN A 163.192.1.10 latsun6.tribune.com.170593 IN A 144.142.2.6 ns-east.cerf.net. 170593 IN A 207.252.96.3 ns-west.cerf.net. 170593 IN A 192.153.156.3 ;; Query time: 513 msec ;; SERVER: 192.168.48.228#53(192.168.48.228) ;; WHEN: Fri Dec 16 17:01:41 2005 ;; MSG SIZE rcvd: 228 and of ; DiG 9.1.3 -t any s79.tribuneinteractive.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 11428 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;s79.tribuneinteractive.com.IN ANY ;; AUTHORITY SECTION: tribuneinteractive.com. 300 IN SOA chisun2.tribune.com. \ [EMAIL PROTECTED] 2005111701 3600 900 604800 86400 ;; Query time: 233 msec ;; SERVER: 192.168.48.228#53(192.168.48.228) ;; WHEN: Fri Dec 16 17:04:42 2005 ;; MSG SIZE rcvd: 109 Could probably help -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: NAT Configuration for Dual WAN Router
Joe Johnson wrote: I've been trying over and over to figure this one out, but I'm just hitting the end of my wits. We have a remote office that can only get 768Kbps DSL, which they've not totally maxed out. So management's solution now is to buy a second DSL line, but they won't let me buy a dual WAN router (in case they add a 3rd DSL line). I've found some great articles on how to get the interfaces working with 2 default gateways (I used this: http://www.linuxquestions.org/linux/answers/Networking/Spanning_Multiple_DSL s) and that is all running fine. It alternates every few minutes which WAN port is used when I traceroute yahoo.com (which is fine) and everything is connecting fine from the router. However, I can't figure out how to get NAT running on the server for the 2 WAN ports for clients inside the LAN. I can NAT to 1 DSL, but that is useless. What I am looking for is a tutorial in how to do this or a pointer to someone who can help. Anyone know of a resource for this? Joe Johnson [EMAIL PROTECTED] I dont see how the router can NAT to more than one ip-address. So you need one NAT-router per DSL-line. Now use your linux, without NAT, to distribute the traffic. Make a guess where most of your goes. Get some vague ip-address ranges and divide them. E.g. send all traffic to microsoft via router-1 and all traffic to cnn via router-2. Both your clients and your linux router dont know about the NAT. The routers, up to 500 of them :) dont know nothing except NAT. If your clients are in 192.168.xxx.xxx then it might be a good idea to put the NAT-routers in 10.xxx.xxx.1 No need for the routers to talk to eachother. Your linux router needs a virtual interface on say 10.xxx.xxx.2 to talk to each router. It would be good to have a real interface for each router to the linux and to have a separate one for your clients. But the linux is intelligent enough and those 1 MBit dsl lines are slowly enough that you can put everything together on one switch. No need to bother which line is which... 10 MBit is fast enough to the outside. Another aproach: Can you split your costumers into separate networks that dont talk to eachother? Then give each group its own NAT-router and give your servers two or more interfaces to make them part of both networks. You must put the routers in different networks of course, say 192.168.1.xxx and 192.168.2.xxx Use an http://www-03.ibm.com/servers/eserver/bladecenter/ Then you run one linux for each dsl-line. Those linuxes know how to route internally too. Now you simply distribute the clients between the linuxes. Dont ask the price. Your management will be delighted :) This solution will allow you some 8 dsl-lines. If you need more buy another bladecenter and connect them. Cheers Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr
Re: Let's talk about ICANN
JC Dill wrote: I'm surprised that I've yet to see any mention here on NANOG about the Internet Governance Forum discussions that were held at the WSIS / United Nations summit in Tunisia a few weeks ago. From my reading of the various articles, it appears that the EU together with some developing nations wanted to wrest control of the Internet away from the US and ICANN. Was everyone unaware of this, or were you just counting on Vint Cerf to talk sense into the delegates from the other countries? http://news.com.com/U.N.+says+its+plans+are+misunderstood/2008-1028_3-5959117.html Then there was ICANN's sudden delay of discussion/approval of .xxx: http://news.google.com/news?q=icann+xxx followed by their approval of .asia: http://news.google.com/news?q=icann+asia Is anyone here paying any attention to any of this? jc Yes, I am. But I am listening in the other forum too. Cheers, Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr
Re: Let's talk about ICANN
Greg wrote: * OFF LIST * - Original Message - From: JC Dill [EMAIL PROTECTED] To: nanog@merit.edu Sent: Monday, December 12, 2005 10:23 PM Subject: Let's talk about ICANN I'm surprised that I've yet to see any mention here on NANOG about the Internet Governance Forum discussions that were held at the WSIS / United Nations summit in Tunisia a few weeks ago. From my reading of the various articles, it appears that the EU together with some developing nations wanted to wrest control of the Internet away from the US and ICANN. Was everyone unaware of this, or were you just counting on Vint Cerf to talk sense into the delegates from the other countries? It's old news by now but I don't see your point in saying Vint would talk common sense as if implying taking control away would have been against common sense. I can see the point that countries that put down all sorts of commonly talked about subjects would have made a mash of it but then that is entirely America/ICANN's fault for getting into the situation. Clinton and/or advisors were very smart in his term in office. They could foresee Internet and what it would mean to the world. At the same time they were incredibly dumb. It *SHOULD* have been registered as a company, worldwide and the offered free to all. In that way they could have kept control. Now, though there is some leeway, there is no certainty. Let's face it - when, not if China makes it's own version, that will be when the shit hits the fan BUT as they have the Beijing Olympics and wresting control of Internet away from what it is now would seriously harm them, they wont do anything until it is over. THAT is when China will make it's own brand Internet. The are already here: ; DiG 9.1.3 -t any xn--8pru44h.xn--55qx5d @hawk2.cnnic.net.cn. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7027 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;xn--8pru44h.xn--55qx5d.IN ANY ;; ANSWER SECTION: xn--8pru44h.xn--55qx5d. 1800IN SOA ns5.ce.net.cn. tech.ce.net.cn. 2004072009 3600 900 1209600 1800 xn--8pru44h.xn--55qx5d. 1800IN MX 10 mail.xn--8pru44h.xn--55qx5d. xn--8pru44h.xn--55qx5d. 1800IN NS ns5.ce.net.cn. xn--8pru44h.xn--55qx5d. 1800IN A 210.51.169.151 ;; AUTHORITY SECTION: xn--8pru44h.xn--55qx5d. 1800IN NS ns5.ce.net.cn. ;; ADDITIONAL SECTION: mail.xn--8pru44h.xn--55qx5d. 1800 INA 210.51.171.29 ns5.ce.net.cn. 716 IN A 210.51.171.200 ;; Query time: 451 msec ;; SERVER: 159.226.6.185#53(hawk2.cnnic.net.cn.) ;; WHEN: Mon Dec 12 13:28:35 2005 ;; MSG SIZE rcvd: 191 and they can send and receive emails. IMHO, we will end up back in the old BBS days of the 80s except it will be Internet style BBS communication, if this shattering occurs but don't fret too much. There is yet another glimmer of hope on the horizon. Keep an eye on the upcoming 3D computing environment and virtual technology. When that becomes a reliable and cheap enough source, that will replace Internet and if, this time, USA trademarks it as I described above, there should be no problems with people HONESTLY meeting in cyberspace. Greg. That has been the time when good old uucp linked all those different BBSes and hosts. UUCP is still there. Bye bye M$ outlook :) Next generation resolvers will learn how to use many roots. Next generation email servers will too. The SPAMmers will be the first. -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr
Re: Viral Cure Could 'Immunise' The Internet
[EMAIL PROTECTED] wrote: Thought folks might find this interesting http://www.newscientist.com/article.ns?id=dn8403 Viral Cure Could 'Immunise' The Internet, New Scientist Excerpts: A cure for computer viruses that spreads in a viral fashion could immunise the internet, even against pests that travel at lightning speed, a mathematical study reveals. Most conventional anti-virus programs use signatures to identify and block viruses. But experts must first analyse a virus before sending out the fix. This means that rapidly spreading viruses can cause widespread damage before being stopped. Source: Viral Cure Could 'Immunise' The Internet, Kurt Kleiner, NewScientist, 05/12/01 Sounds like: I make your computer part of my botnet - only to prevent you from becomming part of somebodyelses botnet. How do I discriminate a real virus from a preventive one? I mean, how do I forge my virus so that you believe it is a preventive one? How about biology? AIDS works by attacking the immune system. If we had no white blood vessels there would be no AIDS. Some vermin does already use Anti Virus Systems to spread. Ok, if they use their preventive virus to kill all windows out there and replace it with a linux? Yes, that might be an idea. That would really stop the virus. ;) -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr
Re: IAB and private numbering
Sorry, I have been daydreaming :) But waking up is a nightmare too: Getting rid of all those locally administered addresses. Looks like it has taken me back to IPv4 for some time. There should never have been rfc1918 in the first place nor NAT either. Regards, Peter Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Peter Dambier writes: Christopher L. Morrow wrote: ... I don't believe there is a 'rfc1918' in v6 (yet), I agree that it doesn't seem relevant, damaging perhaps though :) Yes, there was rfc1918 in IPv6 right from the beginning: Site local addresses 0xF80 dont leave a site. They can be routed within a site but they never get outside. Just like rfc1918 addresses do. Yes, and site-local addresses have been removed from the spec, because of the many problems they cause. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
Re: a record?
Randy Bush wrote: for one host, 185,932 ssh dictionary password attacks in one gmt day (and, of course, password login is not enabled). randy I guess it is. Must be a high performing system :) I have seen many attacks on DSL 1000 MBit and 2000 MBit hosts. Attacks typically lasted 10 minutes. No more than 10 attacks a day. I did not count the passwords - I guess it must have been 250 each. Getting rid of them: Starting sshd from xinetd or inetd. If you have an ol' 386 like me they have already wasted their wordbook before your sshd comes up. Moving sshd from port 22 to port 137, 138 or 139. Nasty eh? Seen no more wordbooks since. Had to by me a dictonary :) I would not dare enabling logins on your system. Kind regards Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
Re: IAB and private numbering
Christopher L. Morrow wrote: ... I don't believe there is a 'rfc1918' in v6 (yet), I agree that it doesn't seem relevant, damaging perhaps though :) Yes, there was rfc1918 in IPv6 right from the beginning: Site local addresses 0xF80 dont leave a site. They can be routed within a site but they never get outside. Just like rfc1918 addresses do. Link local addresses that cannot even leave a link. Even more restrictive than rfc1918. Just like old netbios used to be before it was ported to tcp/ip, ipx and decnet. regards Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
Re: New Rules On Internet Wiretapping Challenged
Vicky Rode wrote: ...Raising my hand. My question is on Terry Hartle's comments, maybe someone with more insight into this could help clear my confusion. Why would it require to replace every router and every switch when my understanding is, FCC is looking to install *additional* gateway(s) to monitor Internet-based phone calls and emails. In a datacenter you have lines coming in and lines going out. And you have internal equippment. You have to eavesdrop on all of this because the supposed terrorist might come in via ssh and use a local mail programme to send his email. So you have to eavesdrop on all incoming lines because you dont know where he comes in. Via aDSL? via cable modem? Via a glass fiber? And you have to monitor all internal switches because you dont know which host he might have hacked. Guess a cheap switch with 24 ports a 100 Mbit. That makes 2.4 Gig. You have to watch all of these. They can all send at the same time. Your switch might have 1 Gig uplink. But that uplink is already in use for your uplink and it does not even support 2.4 Gig. How about switches used in datacenters with 48 ports, 128 ports, ... Where do you get the capacity for multiple Gigs just for eavesdropping? On the other hand - most switches have a port for debugging. But this port can only listen on one port not on 24 or even 48 of them. So you have to invent a new generation of switches. How about the routers? They are even more complicated than a switch. As everybody should know by now - every router can be hacked. So your monitoring must be outside the router. The gouvernment will offer you an *additional* gateway. I wonder what that beast will look like. It must be able to take all input you get from a glass fiber. Or do they ask us to get down with our speed so they have time to eavesdrop. I can see some sort of network redesign happening in order to accodomate this but replacing every router and every switch sounds too drastic, unless I mis-understood it. Please, I'm not advocating this change but just trying to understand the impact from an operation standpoint. Yes, it is drastic. But if they want to eavesdrop that is the only way to do it. Any insight will be appreciated. regards, /virendra Here in germany we accidently have found out why east germany had to finally give up: They installed equippement to eavesdrop and tape on every single telefone line. They could not produce enough tapes to keep up with this :) Not to mention what happened when they recycled the tapes and did not have the time to first erase them :) Kind regards, Peter and Karin -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
Re: h-root-servers.net (Level3 Question)
Christopher L. Morrow wrote: On Sun, 23 Oct 2005, Daniel Roesen wrote: On Sun, Oct 23, 2005 at 11:59:15AM +0200, Peter Dambier wrote: I means, here in germany we cannot see h.root-servers.net Here is my traceroute to h.root-servers.net right now: So, where do you see a problem related to L3/Cogent there? Your traceroute hits DREN, the operator of h.root-servers.net. agreed, looks like a dren 'issue' which MAY be a planned event? DREN probably shouldn't filter traffic to/from h-root (aside from udp/53 | tcp/53 traffic) no 'prefix-X not allowed to have access to h-root' sorts of things) That said, they MAY have done that, did someone (peter?) ask them? I did ask them. Told me it was a firewall misshap. Problem is solved now. Thanks, Peter and Karin Dambier -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
Re: h-root-servers.net
Sabri Berisha wrote: On Sun, Oct 23, 2005 at 04:07:03PM -0500, John Palmer (NANOG Acct) wrote: Peter Dambier did post nonsense. In fact, it was total nonsense since the AMS-IX is not present in any KPN datacentre, *and* it is impossible for end-hosts to connect to the AMS-IX directly. Part of the traceroutes between me and the system I was talking of: 6 da-ea1.DA.DE.net.DTAG.DE (62.153.179.54) 18.334 ms 22.725 ms 33.803 ms 4 ams-e4.AMS.NL.net.DTAG.DE (62.154.15.2) 145.264 ms 152.212 ms 160.623 ms 5 amx-gw2.nl.dtag.de (195.69.145.211) 14.737 ms 13.115 ms 11.501 ms 5 gb-2-0-0.amsix1.tcams.nl.easynet.net (195.69.144.38) 169.072 ms 176.623 ms 184.463 ms 4 213.201.252.133 19.577 ms 17.808 ms 16.000 ms 6 213.201.252.10 194.043 ms 201.762 ms 209.455 ms 3 217.195.244.142 21.561 ms 21.339 ms 20.145 ms 7 Scylla (213.201.229.65) 156.335 ms 164.501 ms 171.735 ms To my eyes it looks like the data is going through Amsterdam IX. I did not say the host was connected to the IX. I said it was living in a datacentre connected to Amsterdam IX. The costumer pays for the ISP beeing present at Amsterdam IX. If that is not the case please tell me, so they can get their money back. I am sorry if I mixed up too computers one in the netherlands in an easynet colocation with another one here in germany with KPN. Both could reach h.root-servers.net And this I found from the Amsterdam IX memberlist: Name: KPN Internet Solutions - AS286 AS Number: 286 URL: www.as286.net Member since: 2002-10-14 Organisational contact: [EMAIL PROTECTED] Peering contact: [EMAIL PROTECTED] Peering policy: www.as286.net So I guess that computer too is connect not via DTAG.DE but via Amsterdam IX I never claimed to be a routing guru. I you feel like splitting hairs you are welcome. Kind regards, Peter and Karin Dambier -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
Re: Customer view vs. operator view was:( h-root-servers.net)
Thank you Michael, for throwing light into this. Yes, I see, Sabri and me are on two different rails, one leading north, the other one leading east. I hope Sabri still has got all his hairs. I am counting mine now. Kind regards and thank you again, Peter Dambier [EMAIL PROTECTED] wrote: I know of one host here in germany who can see h.root-servers.net. That host is living in a KPN data centre directly connected to Amterdam IX. Your own traceroute clearly shows that your host is not directly connected to the AMS-IX. Nor does the KPN datacenter it resides in. The AMS-IX has 4 datacenters where members can place equipment which can be directly connected to the AMS-IX: - GlobalSwitch; - Sara; - Nikhef; - Telecity2, Kuiperbergerweg; Every statement otherwise is bogus, nonsense, crap or whatever term you prefer to use for this. This is a good example of a useless argument caused when one person is speaking from a customer viewpoint and one customer is speaking from an operator viewpoint. Assume that there is an ISP X with a data center in Germany and a colocated rack at Nikhef. They peer directly with many other providers through AMS-IX from their Nikhef location. Customer Q comes along and places a server in their data centre in Germany because he needs to serve his users both in Germany and in his chain of hotels throughout Holland. His network people assure him that the server is connected directly to AMS-IX because that is what their traceroutes say. Of course, we know better. We know that the server is connected directly to ISP X and indirectly to AMS-IX because we are used to being particular about which operator owns each hop. But the customer Q doesn't see the hops in network X. To him, they are invisible because they are his HOME network. Customers don't see themselves as network operators and therefore they often think of their ISP's network as their own. So who is right? Peter? Sabri? Both? My opionion is that neither of them is right because they both failed to understand what the real problem is and they both failed to take the correct steps to solve the problem. As it happens, this was a very, very basic network issue which does not need to be discussed on NANOG at all. --Michael Dillon -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
h-root-servers.net (Level3 Question)
Dan Mahoney, System Admin wrote: Okay, so I've been reading this thread on L3, and I'm a little curious as to what this potential de-peering means in one unique situation. I means, here in germany we cannot see h.root-servers.net soa(.,2005102201,a.root-servers.net,198.41.0.4). soa(.,2005102201,b.root-servers.net,192.228.79.201). soa(.,2005102201,c.root-servers.net,192.33.4.12). soa(.,2005102201,d.root-servers.net,128.8.10.90). soa(.,2005102201,e.root-servers.net,192.203.230.10). soa(.,2005102201,f.root-servers.net,192.5.5.241). soa(.,2005102201,g.root-servers.net,192.112.36.4). error(.,h.root-servers.net,128.63.2.53,no response). soa(.,2005102201,i.root-servers.net,192.36.148.17). soa(.,2005102201,j.root-servers.net,192.58.128.30). soa(.,2005102201,l.root-servers.net,198.32.64.12). soa(.,2005102201,l.root-servers.net,198.32.64.12). soa(.,2005102201,m.root-servers.net,202.12.27.33). Ok, it is only one of the root servers. But have a look who h.root-servers.net is. It is one of the originals not an anycasted copy. Maybe it is only dtag.de the uplink of my ISP but they are the uplink of mostly any ISP here in germany. I guess half of the world cannot reach your site and they cannot even send you an email to tell you. Here is my traceroute to h.root-servers.net right now: 2005-10-23 (296) 11:48:46 loc 2005-10-23 (296) 09:48:46 UTC traceroute to h.root-servers.net (128.63.2.53), 30 hops max, 40 byte packets 1 echnaton.lomiheim (192.168.48.228) 4.675 ms 5.587 ms 6.364 ms 2 DARX41-erx (217.0.116.49) 116.568 ms 132.257 ms 137.536 ms 3 sepia (217.0.67.106) 119.249 ms 124.106 ms 134.971 ms 4 62.156.131.150 230.077 ms 233.444 ms 237.907 ms 5 sl-gw31-nyc-12-0.sprintlink.net (144.223.27.133) 248.150 ms 254.276 ms 262.928 ms 6 sl-bb23-nyc-12-0.sprintlink.net (144.232.13.33) 271.683 ms 278.948 ms 286.979 ms 7 sl-bb20-nyc-8-0.sprintlink.net (144.232.7.13) 288.615 ms 296.159 ms 304.545 ms 8 0.so-2-3-0.BR1.NYC4.ALTER.NET (204.255.174.225) 153.352 ms 160.090 ms 168.617 ms 9 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 177.012 ms * 184.325 ms 10 0.so-7-0-0.XL1.CHI2.ALTER.NET (152.63.68.81) 202.066 ms 205.084 ms 207.531 ms 11 POS6-0.GW10.CHI2.ALTER.NET (152.63.69.169) 214.184 ms 221.166 ms 228.862 ms 12 0.so-3-3-0.dng.dren.net (65.195.244.54) 323.133 ms * 325.671 ms 13 so12-0-0-0.arlapg.dren.net (138.18.1.3) 373.705 ms 381.351 ms 393.036 ms 14 * * * ; DiG 9.1.3 . @h.root-servers.net ;; global options: printcmd ;; connection timed out; no servers could be reached A friend of mine has got a colo box sitting, single-homed, in a (3) data center. At the end of this, is this going to mean I can't reach Cogent? I've seen something in the discussions that imply this will be the case, but am not ultimately sure. Then again, is anyone? I am shure I cannot reach h-root-servers.net and a lot of other sites. Here is what I see from another host in the netherlands: traceroute to h.root-servers.net (128.63.2.53), 30 hops max, 40 byte packets 1 Bifroest (84.22.100.1) 0.181 ms 0.156 ms 0.155 ms 2 Charybdis (84.22.96.245) 2.016 ms 3.895 ms 3.545 ms 3 217.195.244.142 104.799 ms 103.670 ms 102.902 ms 4 213.201.252.230 103.338 ms 101.735 ms 100.100 ms 5 ge0-0-0-1.gr0.tcams.nl.easynet.net (207.162.205.113) 98.449 ms 96.802 ms 95.168 ms 6 so0-1-0-0.gr0.tclon.uk.easynet.net (207.162.205.49) 101.366 ms 100.190 ms 98.656 ms 7 ge0-3-0-0.gr1.thlon.uk.easynet.net (207.162.205.21) 96.926 ms 95.480 ms 93.871 ms 8 ge0-0-0-0.gr0.thlon.uk.easynet.net (207.162.198.12) 92.276 ms 90.543 ms * 9 ge0-2-0-0.gr0.bllon.uk.easynet.net (207.162.205.13) 22.415 ms 21.672 ms 20.266 ms 10 br0.bllon.uk.easynet.net (207.162.204.5) 21.576 ms 20.171 ms 23.452 ms 11 ge-1-0-0-0.br0.tclon.uk.easynet.net (82.108.6.122) 21.855 ms 20.237 ms 21.863 ms 12 ge0-0-0-0.br0.thlon.uk.easynet.net (195.172.211.205) 20.422 ms 23.193 ms 21.581 ms 13 ip-217-204-60-90.easynet.co.uk (217.204.60.90) 20.976 ms 20.646 ms 20.409 ms 14 ge-5-0-2.402.ar2.LON3.gblx.net (67.17.212.93) 90.475 ms 89.058 ms 87.318 ms 15 so6-0-0-2488M.ar2.NYC1.gblx.net (67.17.64.158) 97.484 ms 110.351 ms 108.752 ms 16 POS1-0.BR3.NYC8.ALTER.NET (204.255.168.133) 107.855 ms POS1-1.BR3.NYC8.ALTER.NET (204.255.168.61) 106.842 ms 118.576 ms 17 0.so-5-2-0.XL1.NYC8.ALTER.NET (152.63.19.54) 118.120 ms 116.336 ms 114.644 ms 18 0.so-7-0-0.XL1.CHI2.ALTER.NET (152.63.68.81) 137.482 ms 135.923 ms 134.144 ms 19 POS6-0.GW10.CHI2.ALTER.NET (152.63.69.169) 132.387 ms 130.567 ms 129.078 ms 20 0.so-3-3-0.dng.dren.net (65.195.244.54) 116.936 ms 116.027 ms 114.271 ms 21 so12-0-0-0.arlapg.dren.net (138.18.1.3) 126.768 ms 125.046 ms 126.627 ms 22 cperouter.arlapg.dren.net (138.18.21.2) 126.067 ms 124.259 ms 127.054 ms 23 * * * ; DiG 9.2.4 . @h.root-servers.net ;; global