OT: Public VM, spread the word if possible
A public voicemail box has been set up at 1-866-217-6255. You can call in and check for messages based on a persons phone number (even if the # itself is dead right now) or leave a message based on your own. This service is being done (or at least announced) by Air America Radio, but don't let politics get in the way of a potentially useful service. I'm just passing it along, as I think it could be effective if someone in contact with relief workers could get the # posted in places where the surviors are gathered or gathering, that would be great. Thanks -Scott
Re: fcc ruling on dsl providers' access to infrastructure
On Sun, 7 Aug 2005, Richard A Steenbergen wrote: Does anyone else find it ironic that removing the requirement that allowed competition was done in order to promote competition? I feel boned, how about you? :) Welcome to the United Corporate States of America (if there was ever any doubt) It must be nice to own a congresscritter or two (or two dozen) and the FCC board for good measure. We've always been at war with Middleastia, and our corporate patrons are working in your best interest. I would _love_ to see an accounting of all of the tax incentives, monetary perks, and business anti-trust exemptions that have been handed to the BOCs since ATT split up. These companies have been given literally billions of dollars to build next generation networks, and have only ever made any moves in that direction when forced to compete. On my office wall I have a framed advert from Newsweek in 1982 advertising the low low rate of $1.35 a minute interstate long distance from the Bell System. Yet another reason to welcome you back to 1984. I do wonder what, if any, consumer reactions are going to guide the BOCs. I mean is Joe Internet going to get all riled up when his ISP he's had for 5 years sends him email telling him he's being moved to Qwest or SBC without his consent? Is SBC going to care? Is there going to be a business case for web and email hosting with someone other than your forced access provider? Is there any legal incentive for SBC/Qwest/Comcast to allow that access? -S
Re: Internet2
On Tue, 26 Apr 2005, Mikael Abrahamsson wrote: What is internet2 speed? As far as I can see Internet2 is a 10G based national network. What is so special about that in this day and age? I think the difference is the average connection speeds of the end users of the network. It's not at all uncommon today for a provider with a 10G+ backbone to have 100Mbs or less average connection speed, whereas I2 end users are often on campus networks at gig-E or faster. So the speeds mentioned are the realized speeds in p2p and malware spreading applications, or at least that is my assumption based on the original poster's question.
Re: Service providers that NAT their whole network?
On Fri, 15 Apr 2005, Philip Matthews wrote: A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers. In my experience many cellular providers (at least in the US) do this as well. A GPRS connection to Cingular, even from a laptop device, will get a 1918 address. I don't mind since my phone runs linux with no root password (thanks motorola). -Scott
Re: Utah governor signs Net-porn bill
On Wed, 23 Mar 2005 [EMAIL PROTECTED] wrote: that's EASY: there is hyperconcern for the welfare of children in Utah, Finally, someone who recognizes what this bill is all about. It merely asks ISPs to provide parents with a filtering tool that cannot be overridden by their children because the process of filtering takes place entirely outside the home. To Quote Peter Tolan (Cowriter of the TV Show Rescue me) on another censorship issue: The idea that government feels they have to regulate this stuff because the people they're governing can't turn it off is insulting Why is it the ISP's responsibility to assume an operational burden of enforcing the religious morality of one group? I think the phrase Chilling effect has been used in this thread previously, and I believe it was apt. If there's a demand to an alternative internet service by, for example, Mormons, why not start an ISP with filtering, and offer it? Niche businesses service narrow segments of the market have been very successful, even if they charge slightly more, based on their specialized appeal. If aol/comcast/rboc/etc see that they are loosing customers to competition, they may choose to offer similar services or choose to let the customers go.
Re: Little brother of sitefinder
On Wed, 8 Dec 2004, Owen DeLong wrote: I hadn't noticed it, but, I hope that ICANN will take appropriate action on it. Are they doing this just to Verisign registered domains, or any domains expiring at any registrar? If it's just verisign customers, I don't think this is the afront to the intenret that sitefinder was, but if it's all expired domains, then it's getting close. Do any other .com registrars employ these tactics? I think I've seen it on other TLDs. Thanks -S
Re: Senator Diane Feinstein Wants to know about the Benefits of P2P
On Mon, 30 Aug 2004, Mike Tancsa wrote: I recall even seeing posts about people claiming this meant original data being reconstructed from the checksum! That would be truly amazing since I could reconstruct a 680MB ISO from just 61d38fad42b4037970338636b5e72e5a. Wow! Technically, using an Infinate Monkeys approach, you could rebuild the ISO by generating the expentially huge quantity of all possible data and check them and find the one that matches the ISO. Not practical but possible. As far as the P2P thing goes, framing is a free speach argument is probably not a bad way to start. For example, the guy from bikesagainstbush.com was arrested over the weekend (while being interviewed on MSNBC) and video of the arrest from a 3rd party was available on BT within minutes. A method like P2P (and BT's swarming in particular) allowed this file to spread without overtaxing the bandwidth of the person or organization distributing it. Frankly, in a day when news organizations are forced to think about any negative impacts of their reporting on their parent corp's agenda, this is a must have tech. -S
Re: Google?
On Mon, 26 Jul 2004, Marco Davids (SARA) wrote: Google seems to fail on every search containing the word 'mail' ? http://isc.sans.org/diary.php?isc=d46940064182f61f40ca333bc3c2f439 Operational in the context that it's a response to a network traveling worm, and will generate customer calls. -S
BGP list of phishing sites?
Happy Sunday nanogers... I was doing some follow up reading on the js.scob.trojan, the latest hole big enough to drive a truck through exploit for Internet Explorer. On the the things the article mentioned is that ISP/NSPs are shutting off access to the web site in russia where the malware is being downloaded from. Now we've done this in the past when a known target of a DDOS was upcoming or a known website hosted part of a malware package, and it is fairly effective in stopping the problems. So what I was curious about is would there be interest in a BGP feed (like the DNSBLs used to be) to null route known malicious sites like that? Obviously, both operational guidelines, and trust of the operator would have to be established, but I was thinking it might be useful for a few purposes: 1 IP addresses of well known sources of malicious code (like in the example above) 2 DDOS mitigation (ISP/NSP can request a null route of a prefix which will save the Internet at large as well as the NSP from the traffic flood 3 etc Since the purpose of this list would be to identify and mitigate large scale threats, things like spammers, etc would be outside of it's charter. If anyone things this is a good (or bad) idea, please let me know. Obviously it's not fully cooked yet, but I wanted to throw it out there. Thanks -Scott
Re: what the .. constant connects from adelphia.net..
On Thu, 6 May 2004, Nicole wrote: As shown below I keep getting these connects from various adelphia.net mta servers. No data is ever sent. Anyone know what they are up to? Checking my log for those IPs I see lots of sender verifications. (mail from rcpt to [EMAIL PROTECTED], no data) That's probably what they are doing. -S Nicole -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: Postfix errors from some new worm??
On Thu, 29 Apr 2004, Nicole wrote: Seems like its trying to show web data.. and it ignores errors. I am seeing a bit of these. Nothing googelable for SHWAN-PROXY =[ Some broken script or worm? It's most likely an HTTP proxy connection abuse. Since CONNECT proxies are drying up, people are using open HTTP proxies to try to send mail. Basically they send a POST to the proxy that causes it to connect to your server, and make an HTTP request that contains SMTP commands, so after the HTTP commands it would have a line like: value=\r\nHELO sdfads\r\nMAIL FROM:[EMAIL PROTECTED]\r\nRCPT TO:[EMAIL PROTECTED]\r\nDATA\r\nSee my website\r\n\. which if your mail server ignores the errors caused by the HTTP header will cause an SMTP session to be triggered. I'm not sure if postfix has it, but setting a max number of errors per session, or making sure the SMTP lock-step is followed can really help stop these. -S Nicole Transcript of session follows. Out: 220 krell.webweaver.net ESMTP commodore 64 Postfix Baby In: POST / HTTP/1.0 Out: 502 Error: command not implemented In: Via: 1.0 SHWAN-PROXY Out: 502 Error: command not implemented In: Host: mail.webweaver.net:25 Out: 502 Error: command not implemented In: Content-Length: 1056 Out: 502 Error: command not implemented In: Content-Type: text/plain Out: 502 Error: command not implemented In: Connection: Keep-Alive Out: 502 Error: command not implemented In: Out: 500 Error: bad syntax In: RSET Out: 250 Ok In: HELO webtv.net Out: 250 krell.webweaver.net In: MAIL FROM:[EMAIL PROTECTED] Out: 250 Ok In: RCPT TO:[EMAIL PROTECTED] Out: 550 Client host rejected: cannot find your hostname, [207.68.98.5] In: DATA Out: 554 Error: no valid recipients In: To: [EMAIL PROTECTED] Out: 502 Error: command not implemented In: From: roman [EMAIL PROTECTED] Out: 221 Error: I can break rules, too. Goodbye. -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- The term daemons is a Judeo-Christian pejorative. Such processes will now be known as spiritual guides -Politicaly Correct UNIX Page http://www.nonsenseband.com *** Spam Sucks and I get tons of it. So I have some tight spam filters. If any email to me bounces, please use your secret decoder ring and please send to blabgoo at yahoo dot com :) !DSPAM:40919bc4290231576414491! -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: Lazy network operators
On Sat, 10 Apr 2004, Jeff Workman wrote: --On Saturday, April 10, 2004 8:30 PM -0700 Dan Hollis [EMAIL PROTECTED] wrote: exodus for example had a hands off policy, dont do a single thing until law enforcement arrives with a search warrant. While this might be a PITA for everybody, I don't see why everybody wants to chastise NSPs for this practice, especially NSPs that are/were telcos. Isn't this more or less the way telcos have dealt with abuse issues for decades? I used to work for a very small (~10k dialup customer) ISP, and at the time our abuse policy was if somebody complains, and you can find *something* in the logs, then lock the account. Then I went to work for a so-called Tier-1 and learned in short order that this policy does not scale, especially when abusive customers with DS3s are waving around fully loaded lawyers. The problem with your argument is very much an apples and oranges comparison. Having spend the first five years of my network career at a ma and pa that then got gobbled by Verio, and then the last five plus years at a startup Telco/ISP, I can tell you, you see very different issues. 1 Telcos don't have ISP style AUPs, basically unless it's illegal, you can do it on a phone without the carrier getting involved. 2 Telcos don't have the content variety that ISPs do. You can't (practically) bring down a Class 5 switch, the SS7 network, etc with the actions of one customer. 3 A single phoneset cannot be used to contact 50 million people in a matter of hours to sell them viagra or other stiffy pills. 4 A phoneset cannot be used to hijack or damage another phoneset on the PSTN. There's no such thing as a zombie telephone. PBXs might be hijackable, but not a home phone. 5 The other Telcos don't get pissed when you or your customers use/abuse their resources, they send bills. and the list goes on and one. While both the Telco and ISP are communications services, they are completely different beasts in the abuse department (as well as support, provisioning, billing, etc) If your well lawyered customers complains, wave the AUP at them, if your AUP doesn't allow you to disconnect customers who imperil your network and the Internet at large, rewrite it. Remember that getting cut off by your upstream is more painful than dealing with a PITA customer. Remember that the Internet started out as a community, and in our little neck of the woods (NSP network engineering/operations) it still is, and nobody likes a (BGP) neighbor who doesn't care about the others in his neighborhood. As an ISP/NSP/whatever acronym they think up next, your customers are your responsibility, and you, like a good bartender, need to be able to let your customers know when they're a nusance. -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: SMTP behavior: 553 5.5.2 Bad command format(h)
On Wed, 31 Mar 2004, Miguel Mata-Cardona wrote: WTF? can anyone please explain me why must I enclose my address between the ? http://www.faqs.org/rfcs/rfc2821.html
Re: New cisco exploit published in the media today
Forgive the not panicing, but none of the exploits utilized by this tool are new, the newest being a year old, most being 2-3 years old, judging by the dates on the cisco pages. -S On Mon, 29 Mar 2004, Henry Linneweh wrote: Cisco warns of new hacking toolkit http://www.infoworld.com/article/04/03/29/HNhackingtoolkit_1.html exploit location http://www.blackangels.it/ -Henry !DSPAM:4068933e94641474817789! -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: Throttling mail
On Thu, 25 Mar 2004, Adi Linden wrote: Does anyone have any resources on building a mail relay that would limit the amount of email a single user or ip address can relay over a given time period? I have a spam/virus problem that is getting out of hand. Depending on your MTA poison of choice there's lots out there. Personally I use exim in most of my deployments, and it has a very nice progressive rate limiting feature (ie accept two MAIL commands with no delay, at 0.5 seconds for the third, scaling at a rate a 1.05 times per message until 5 minute delay per message is reached) that is fully configurable. (http://www.exim.org/exim-html-4.30/doc/html/spec_14.html#IX1351) Exim, as well as almost every other MTA out there has support for inline virus scanning, which may help with your problem as well. -Scott Adi !DSPAM:4062fb3090826102911420! -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: UDP port 4000 traffic: likely a new worm
Has anyone figured out the collateral damage if 4000/udp were to be blocked for a couple of days? Since the exploit is in the ICQ code of ISS's products, does blocking 4000/udp block ICQ as well? Thanks -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
A TCP Replacement protocol 6000 times faster than DSL?
Found on slashdot: http://www.scienceblog.com/community/article2473.html Any idea what they're trying to say/sell? The article is so vague as to be mostly useless, but it seems to indicate the usual stuff like sliding windows. -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: dealing with w32/bagle
The clamav team is doing a great job of keeping up to date with the Bagle varients, and they've also deployed a couple of generic signatures which should catch at least some variations as they show up. As for finding them on the filesystem once delivered, an easy place to start is [EMAIL PROTECTED] where $domain = your local domain. That seems to be the one getting the most spread today that I've seen. I have to admit at least our users seem to be learning (hit them with a switch (either wooden or 3548) enough and they stop opening everything. Once nice feature of the newer Bagle varients is them seem to lookup their local domain's MX instead of pulling the MX out of a user's configuration. Since all of our domains are MX'd to a non-relaying, virus scanning server, it's helping us keep our users from spreading the joy. -S On Wed, 3 Mar 2004, Dan Hollis wrote: I am curious how network operators are dealing with the latest w32/bagle variants which seem particularly evil. Also, does anyone have tools for regexp and purging these mails from unix mailbox (not maildir) mailspool files? Eg purging these mails after the fact if they were delivered to user's mailboxes before your virus scanner got a database update. -Dan !DSPAM:40463f4f114201456317298! -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: SPAM Prevention/Blacklists
I don't know what the prevailing attitude is, but it seems to me that 451ing unknown senders is a good way to get on the bad side of sysadmins who have to deal with the backlog until your server decides to accept them. I would think if you're willing to spend other's resources on reducing your spam load you would be willing to spend your own and implement SMTP callback, SPF or the like. I tried implementing SPF which actually caught a fair # of forged senders until I noticed that ticketmaster had invalid SPF records and we were rejecting their emails. -S On Wed, 3 Mar 2004, Nathan Allen Stratton wrote: On Wed, 3 Mar 2004, Brandon Shiers wrote: Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks, Have you look at graylisting, temp failing mail with a sender/receiver/IP you have not seen before? Nathan Stratton CTO, Co-Founder nathan at robotics.net BroadVoice, Inc. http://www.robotics.net http://www.broadvoice.com !DSPAM:40465d92185491208025388! -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: Lawsuit on ICANN (was: Re: A few words on VeriSign's sitefinder)
On Thu, 26 Feb 2004, Roman Volf wrote: When are they up for renewal exactly? November 10, 2007, according to http://www.icann.org/tlds/agreements/verisign/registry-agmt-com-25may01.htm -S
80/udp floods?
I apologize for the potentially obvious question, but I've been through sf, google, etc and can't find anything. I have a customer that is currently getting several hundred thousand packets per second sent to them on 80/udp. /etc/services lists 80/udp as IANA assigned for http but I've never seen a udp implementation of http so I'm assuming it's a sneaky DOS/DDOS of some kind. ACL's seem to work to catch it but I'm curious if anyone has seen this specific attack (80/udp) before. Thanks -Scott -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: Latest IE patch breaking non username:password@encoded websites?
On Tue, 3 Feb 2004, Jeff Workman wrote: My guess is that too many people were getting burned by URLs like this: http://[EMAIL PROTECTED] -Jeff Right but the bug wasn't basic auth in a URL it was that the %01 character stopped Outlook and IE from displaying the rest of the URL, so http://[EMAIL PROTECTED]/ would show just www.ebay.com in both outlook and the URL bar. The problem isn't the auth but the masking ability of the escaped characters. Oh well, one more standard Embraced and Extended by the beast -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Third Level domains patented?
http://news.com.com/2100-1038-5141810.html?tag=nefd_hed According to the article, somebody maanged to patent the selling of www.something.somethng.com. Which seems a bit assanine to me, since the ISP I worked for in 1993 offered custoemrs www.customer.ccnet.com. As much as I dislike Verisign, this is silly. I think I'll file a patent on organic O2/CO2 exchangers, and then sue everyone who breathes Break out the prior art -Scott -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart
Re: Upcoming change to SOA values in .com and .net zones
On Wed, 7 Jan 2004, Richard D G Cox wrote: On 7 Jan 2004 23:02 UTC Frank Louwers [EMAIL PROTECTED] wrote: | stuid question Yup! | but isn't 2004010101 (today) 1076370400 (9 Feb 2004)? Nope! The new format will be the UTC time at the moment of zone generation encoded as the number of seconds since the UNIX epoch. ^ ... and not as MMDDHHMMSS or any contracted version thereof! I think what Frank is asking is a valid question. The way BIND/etc determine when a new zone file has been issued is by seeing if it has a higher SN than the currently caches zone. Frank's question is that when view simply as 10 digit integers (which is how BIND uses them) 2004010801 is a larger integer than 1076370400. This might cause problems with cached zones and other such staleness, so it does seem a valid concern. -Scott --- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart
Re: pon's and ethernet to the home
On Tue, 9 Dec 2003, Miguel Mata-Cardona wrote: As far as I have understood, the idea is to use the fiber as it was coax, doing some kind of FDM (frequency division multiplexing) with the lambdas (somehow the same). This would give us the capability to move at leat n x 10mbps ethernet on the same fiber using diferent lambdas for each customer, until power budget goes down. The units that I worked with in the past (from an outfit called Quantum Bridge www.quantumbridge.com) worked pretty well, but the deployment model didn't meet my emplolyer's biz model (since it required outside plant). Basically the way it worked was it ran ATM OC-3 (mabe OC-12) down the fiber, using passive optical splitters, to the CPE. The CPE used a TDM style muxing for the return on a different lambda on the same fibre. The CPE itself was interesting too. It provided a 100bt ethernet port (showed up as and ATM pvc at the headend, with the actually allocated bandwidth controllable from 1.5 to 100 megs, as well as 4 DS1 ports. The DS1s were Circuit Emulated over the ATM fabric. Concerptually it was very interesting, and I imagine other POS solutions are similar, as simply using a lambda per customer would not be an efficient utilization of the available bandwidth. -Scott --- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart
Re: Anit-Virus help for all of us??????
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same category. While it may not be a cure-all, a NAT solution offered by most entry-level routers is an effective, if incomplete security tool. While it does not prevent stupid user tricks (downloading malware, misconfiguring NAT to allow incoming connections, etc) it does stop most non-email worms in their tracks. For example, from an nmap or other scan of the IP address of my home DSL connection you would onot see any interesting ports open, even if one or more of the hosts behind the router were accessing content of some kind. Worms that spread over open shares and insecure services (windows or otherwise) do not ever hit any of the machines behind the NAT. I, of course, run other security solutions (IDS detection/etc) to keep my skills sharp, but I've pleasantly suprised at the wherewithall of my little Efficient router and it's NAT implementation. It's never allowed any unwanted traffic through from the out side (port 135 crud/etc). I always tell people that a NAT like this (rather than a 1:1 NAT or a NAT with PAT holes to allow access to servers) keeps honest people honest. Could somebody figure out a way (TCP intercept, etc) to get to a machine bhind the NAT? I supose so, but like the blinking red light on the dashboard of your car, it makes the lazy thief move on to the next car that doesn't present the apperance of protection. -Scott -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib These are the last days of peace in America as you know it. And we will never be the same. -Mark Morford
RE: Harassment (was Re: ELAN.NET ...)
I should know better than to stick my foot into things, but the IP in question (69.60.142.242) is registered with the .US registrar as ns2.nanog.us, and is the secondary name server for nanog.us The ethics and/or legality of registering nanog.us notwithstanding, I don't understand this particular issue with Mr Booth (regardless of the s/n ratio of his postings) -S On Sun, 2 Nov 2003, Michel Py wrote: Richard Cox wrote: The only relevance of those postings to this group can be found by observing exactly how the MX (69.60.142.242) for his email address ([EMAIL PROTECTED]) answers on Port 25. Most interesting! Indeed. Would be worth taking action with nic.us. Michel. !DSPAM:3fa57c17181901949070007! -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib These are the last days of peace in America as you know it. And we will never be the same. -Mark Morford
DOS attack fills input queue?
One of my FE interfaces was stuttering this morning, and when I checked it out, it had an input queue of 76/75 which of course made me think of the recent Cisco vulnerability, which we have upgraded IOS and added ACLs to counteract. I checked the ACLs and they hadn't caught any traffic from the bad four protocols, only TCP and UDP, so I started to investigate. The packets (as pulled from the buffer) have headers like: Buffer information for Small buffer at 0x42561A68 data_area 0x42561D18, refcount 1, next 0x41C4F394, flags 0xA00 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x42E47824 (FastEthernet4/0/0.7), if_output 0x0 (None) inputtime 0x1433CC, outputtime 0x0, oqnumber 65535 datagramstart 0x42561D5E, datagramsize 60, maximum size 260 mac_start 0x42561D5E, addr_start 0x42561D5E, info_start 0x0 network_start 0x42561D6C, transport_start 0x42561D78, caller_pc 0x403F5BD4 source: 71.209.243.3, destination: 163.29.243.5, id: 0x0100, ttl: 128, TOS: 0 prot: 6, source port 0, destination port 40 Buffer information for Small buffer at 0x425868E4 data_area 0x42586B94, refcount 1, next 0x4253BC7C, flags 0xA00 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x42E47824 (FastEthernet4/0/0.7), if_output 0x0 (None) inputtime 0x96724, outputtime 0x0, oqnumber 65535 datagramstart 0x42586BDA, datagramsize 60, maximum size 260 mac_start 0x42586BDA, addr_start 0x42586BDA, info_start 0x0 network_start 0x42586BE8, transport_start 0x42586BFC, caller_pc 0x403F5BD4 source: 224.209.80.156, destination: 163.29.243.5, id: 0x0100, ttl: 128, TOS: 0 prot: 6, source port 0, destination port 40 and so on Random sources, same destination, same source/destination port pairs (0/40 tcp) I added: access-list 111 deny tcp any host 163.29.243.5 access-list 111 deny tcp host 163.29.243.5 any to the interface and it did not catch any of them, and the input queue returned to 76/75 (when the customer is disconnected the queue empties back to 0/75, when I re-enable their switchport, it takes 30-60 seconds to fill back up). I'm sure the packets are problably just one of the latest windows worms, but what concerns me is that I can't seem to catch them in an ACL before they cause damage to the router. The router is a 7507 with 12.0.25S on it. Since 12.0.25S has given me (unreleated) problems on other boxes, and been pulled by Cisco, I've scheduled a reload to 12.0.21S7 tonight. I don't know if that will, however, fix this problem, so I wanted to both ask for the advice of, and maybe raise a red flag for, the nanog folks out there who might run into the same thing. Thanks -Scott
Re: Transformer takes out datacenter (Reno, NV)?
On Wed, 30 Jul 2003, Bruce Robertson wrote: Power was indeed off to the entire building, and ATGs generator was involved in the explosion, so kudos to ATG and Worldcom for having enough batteries to last the night. Hi Bruce- Just a clarification, but ATG's generator was not involved in the transformer explosion. The fire department cut off all the generators in the building for safety sake and would not let us turn them back on until they made sure they wouldn't backfeed/cause more problems, so we were stuck on battery until they cleared us (which makes sense, we certainly don't want to cause more problems). It was about 7:30 when we were allowed to turn back on the generator. For those who don't know, 200 South Virginia in Reno is one of the few (if not only) carrier hotel in Reno, it has ATG, SBC, MCI, as well as several local ISPs in it. It also has (or had) a Genuity pop, although I don't know if they're still there or not. www.rgj.com has a few pictures of the building. -Scott ATG
Re: Remembering history passwords may be bad, but they are gettingworse
Kevin Day wrote: I run one of the larger adult websites, that has a reputation for being very difficult to acquire passwords for. One of the more interesting passive ways to manage a site like this is to do something similar to what Streamload does (or did, I haven't tried it lately). I don't know if this is useful for other web services, but for most non-shared accounts, there should be a limit of how many unique IP addresses in a set time period can access a given account. The limit shouldn't be one, because with dynamic IPs, and people having work home computers, but for example 5 unique IPs per 24 hours would catch a shared password within a day or less. Another limit to consider is one session per username at a time, so if a user is logged in and another authenication attempt is made from a different IP, it either terminates the first user's session or refuses login. Back in the late 80s/early 90s we had a service in my area called POPNET that was a multi-user BBS. They were a pay service, and if an account logged on twice they would lock the account for 24 hours. It stopped password sharing real quick :) I personally would not object to a secureID or USB RSA dongle for online banking/etc, but I can see a problem with too many standards where you would have a secureID or key dongle for every different credit card and bank account. What would be nice to see is a trusted third party (insured against loss like a Bank is) that would have a single secureid issued that would be key for any number of different financial services. This is different than something like Microsoft's Passport initiative in that it's a secureid based, and b would be maintains by a trusted company, and c would be cross platform. -Scott
Fixed IOS datestamps?
I started collecting the new IOS files for tonight's reboot of the Internet, and I had a quick question. The datestamps on a lot of the maintainence releases are months old, and I just want to make sure I'm getting the right stuff, as they say, so we don't have to do this dance again tomorrow. For example, 12.0S users are recommended to go to 12.0(25)S, which at least for the GSR is dated April 14, 2003. Do I have the right build of 12.0(25)S or will there be one with a date closer to the revelation of the exploit showing up on the cisco FTP site? Thanks -Scott
Re: Streaming dead again.
How many would pay some $$$ for this to be moved in the future to a premium service provided by someone like RealMedia. Methinks the merit servers are getting crushed. Methinkg Akamai might be a candidate to offer this service to nanog in the future perhaps? :) Avi? FWIW the stream is working fine for me except they're not showing the slides... -Scott
Re: New worm / port 1434?
I'm seeing obscene amounts of 1434/udp traffic at my transit and peering points. I've filtered it out in both directions everywhere my network touches the outside world. It's almost 20% of my traffic at this point. I think I've calmed the internal storm so far, but we'll see. I saw refence to an ICMP trigger packet. Is there any info on this and is it possible to filter for it w/o killing all ICMP traffic? It'd be nice to know I won't have any more routers or switches fall over tonight. Colo customers seem to be the worst off, the rate limiting kills the router or the traffic kills the backbone. decisions, decisions... -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib Nothing is less productive than to make more efficient what should not be done at all. -Peter Drucker
vrf resources?
Hello all. I was recently handed a piece of a network that used VRF to implement vlans. I'm by no means a vrf expert, but the config looks right to me. The problem I'm having is that traffic destined for IP addresses within the VRF Vlan from interfaces not within the VRF vlan (they don't have ip vrf forwarding statements in their interface configurations) which of course breaks the whole concept of a private routing table. I've done extensive searching of Cisco's website and have found no mention of this problem, or it's avoidance when setting up a vrf vlan. Lacking a valid service contract, I cannot open a ticket, so any insight is greatly apreciated. Thanks -Scott
Re: vrf resources?
Revised for clarity (I blame the 100.6 fever) The problem I'm having is that traffic destined for IP addresses within the VRF Vlan from interfaces not within the VRF vlan (they don't have ip vrf forwarding statements in their interface configurations) which of course breaks the whole concept of a private routing table. Rephrase: Traffic entering the router on an interface not bound to the VRF, but with a destination IP within the VRF is forwarded like it entered a bound interface, instead of being send to the default route. My apologizes for not actually finishing my thought the first time around :) -s -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib Copyright Law is not a tool of repression granted to an unaccountable corporation by a corrupt congress at the expense of an ignorant public. -WW
Re: slapper changed to udp 1812?
On Tue, 1 Oct 2002, fingers wrote: hi I might be totally off the mark here, but has slapper now changed to port 1812? This'll make it really difficult to filter, if you're using this port for RADIUS. We saw this yesterday, directed at a previously infected slapper.a (2002/udp backchannel) host on a a customer's network, and I sent the captured info to CERT to see what they made of it. I didn't know if it was the slapper communications channel, or one of the triggered DDOSs from slapper. -S
UDP Port 2002 DDOS?
I apologize if this is an obvious question, but I've search bugtraq and other sources... I've had two customers complain today about massive amounts of incoming UDP traffic on port 2002. They appear to be some kind of DDOS or spoofed attack since the origin IPs on each packet are different. Is anyone else seeing something similar? Thanks -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib Copyright Law is not a tool of repression granted to an unaccountable corporation by a corrupt congress at the expense of an ignorant public. -WW
Port 2002
Thanks for the quick response everyone, searching for udp 2002 found way to many things at first, and then I found the info (within 1 minute of sending my email, of course). My apologies again for the time wasting :) -S
Re: Notes on the Internet for Bell Heads
Working for a Telco with an ISP division, I can tell you the best thing to to do is wait for the Bell Heads to retire for the third time and keep them away from your gear until then :) But in all seriousness, a book or set of documents would be very helpful for those few Bell-shaped Heads that want to change their evil ways. -Scott (who is still trying to get back the IQ points lost in trying to understand the SS7 network and being amazed that calls ever make it through) -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib ...Everything's going to be just great again!
RE: [OT]Microsoft makes networked software 'illegal' on XPunlessyou pay them..
Programs made illegal by this license: VNC PCAnywhere Apache (CGI) IIS (CGI) -- Weird, ain't it? etc... It could conceivably be applied to dedicated Quake servers and the like as well. Easy way to solve problem, don't run Wndows VMSNT2kXP :) Apologies for the non-op content, back to your regularly scheduled noc pinging. -S On Sun, 21 Apr 2002, Benjamin P. Grubin wrote: Err--I think you guys are reading too much into this. The license (to me, and IANAL), seems to indicate that the workstation cannot be used as a server unless you purchase server licenses. It strikes me that language very similar to this has been in the workstation products since NT4. I do, OTOH, think that the legal ramifications sounds quite far-reaching since the language is so broad. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard Forno Sent: Sunday, April 21, 2002 9:22 AM To: [EMAIL PROTECTED]; Nanog (E-mail) Subject: Re: [OT]Microsoft makes networked software 'illegal' on XPunless you pay them... That's funny. Yet another case of someone - either a company through licensing and litigation, or a government through legislation - trying to effect both software quality. Forget the fact that such tools may be exploitable - if you're a computer criminal, the fact you're violating a software license clause probably isn't going to deter you from your actions, much like how 'drug crimes using a gun' probably doesn't deter many drug criminals, either. Instead of addressing the technical problem - eg, poor software development and flaws in how the software works - we're once again seeing it legislated/litigated away (I'm thinking of Adobe E-Reader, DeCSS, etc here). Talk about burying your head in the sand, which appears to be the status quo, even in today's environment of security hysteria where we 'need to do more'. From what I see here in DC, nobody's REALLY interested in addressing security long term, as it will rock the boat too much; so we continue seeing little goofy ways to look like security is being addressed when in reality, security ISN'T being addressed. rf infowarrior.org windows-free since 1999 :) From: Bruce Williams [EMAIL PROTECTED] From http://www.infoworld.com/articles/op/xml/02/03/18/020318oplivi ngston.xml Microsoft's XP license agreement says, Except as otherwise permitted by the NetMeeting, Remote Assistance, and Remote Desktop features described below, you may not use the Product to permit any Device to use, access, display, or run other executable software residing on the Workstation Computer, nor may you permit any Device to use, access, display, or run the Product or Product's user interface, unless the Device has a separate license for the Product. I guess this improves security bye, Bruce Williams Asking the wrong questions is the leading cause of wrong answers -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib Credo Quia Absurdum (I believe it, because it is absurd.)
