Re: interesting article on Saudi Arabia's http filtering
There is a price to pay for freedom. I would prefer to receive (or have to personally control) all the nastiness that appears in my inbox than give up any of my Internet freedoms. But that is my opinion of what is right for me. That, however, does not answer your question. My answer is that we do not force our version of what is right or wrong on others. The 'net is not an entity that has ethics nor are 'ubergeeks' the right people to determine what is and is not ethical for other users of the 'net. That is determined for us by the respective laws of the land in which we operate. -Steve * Randy Bush said: i was helping get the link up into kacst (their nsf equivalent) in ryadh back in '94, and a rather grownup friend there, Abdulaziz A. Al Muammar, who had his phd from the states and all that, explained it to me something like this way. yes, to a westerner, our ways of shielding our society seem silly, and sometimes even worse. but tell me, how do we liberalize and open the culture without becoming like the united states [0]? not an easy problem. considering the *highly* offensive material that arrives in my mailbox (and i do not mean clueless nanog ravings:-), my sympathy for abdulaziz increases monotonically. so perhaps we should ask, rather than ranting, how do we, the self-appointed ubergeeks of the net, think we can clean up our own back yards, before we start talking about how others maintain theirs? randy --- [0] - which, americans need to realize is, to much of the civilized world, the barbarian hordes, sodom, and gomorrah rolled into one
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
* [EMAIL PROTECTED] said: On Wed, 27 Aug 2003, [EMAIL PROTECTED] wrote: We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. We've noticed that one of our upstreams (Global Crossing) has introduced ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings through them look awful (up to 60% apparent packet loss). After contacting their NOC, they said that the directive to install the ICMP rate limiting was from the Homeland Security folks and that they would not remove them or change the rate at which they limit in the foreseeable future. Homeland Security recommended the filtering of ports 137-139 but have not, to my knowledge, recommended rate limiting ICMP. I speak for Global Crossing when I say that ICMP rate limiting has existed on the Global Crossing network, inbound from peers, for a long time ... we learned our lesson from the Yahoo DDoS attack (when they were one of our customers) back in the day and it was shortly thereafter that we implemented the rate limiters. Over the past 24 hours we've performed some experimentation that shows outbound rate limiters being also of value and we're looking at the specifics of differentiating between happy ICMP and naughty 92 byte packet ICMP and treating the latter with very strict rules ... like we would dump it on the floor. This, I believe, will stomp on the bad traffic but allow the happy traffic to pass unmolested. The rate-limiters have become more interesting recently, meaning they've actually started dropping packets (quite a lot in some cases) because of the widespread exploitation of unpatched windows machines. Our results show that were we to raise the size of the queues the quantity of ICMP is such that it would just fill it up and if we permit all ICMP to pass unfettered we would find some peering circuits that become conjested. Our customers would not appreciate the latter either. -Steve
Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting
* Sean Donelan said: On Thu, 28 Aug 2003, Steve Carter wrote: The rate-limiters have become more interesting recently, meaning they've actually started dropping packets (quite a lot in some cases) because of the widespread exploitation of unpatched windows machines. Yep, the amount of ICMP traffic seems to be increasing on most backbones due to worm activity. It probably hasn't exceed HTTP yet, but it is surpasssing many other protocols. Some providers have seen ICMP increase by over 1,000% over the last two weeks. The results of our data collection is almost unbelievable. I've had to have it rechecked multiple times because I had a hard time even groking the scale. Like, dude, is your calculator broken? It appears that the volume is still growing ... even with the widespread publicity. Those of us that are sourcing this traffic need to protect ourselves and the community by rate limiting because the exploited are not. I agree with Wayne that we need to be smart (reads: very specific) about how we rate limit during this event. When the event is over we can go back to just a simple rate limit that protects us in a very general way until the next event jumps up. private message Yuh, Jay, I changed my tune ... you were right. /private message -Steve
Re: Lazy Engineers and Viable Excuses
* Richard A Steenbergen said: On Tue, Aug 26, 2003 at 10:10:57AM -0400, Leo Bicknell wrote: In a message written on Tue, Aug 26, 2003 at 09:55:30AM -0400, Jared Mauch wrote: Yes, it is that hard. Sadly, almost everyone I see push the IRR works for a small ISP. And at least half of those work for a small ISP in Europe. CW, Level3, Global Crossing and NTT/Verio are small isps? Please correct me if I'm wrong, but they all use the IRR to filter customers. That's a fine application of the IRR, and one I encourage. I don't think any of them use the IRR to filter peers. Indeed, I can provde they don't filter certian big peers due to the fact they don't register thier routes at all. :) Global Crossing doesn't use the IRR to filter their BGP speaking customers, every prefix-list update gets touched by a human. While their response time is good, and they're generally friendly people, they do have a tendancy to prove that they are human by forgetting or typoing a random route with nearly every other update. When you start getting into the hundreds of routes, personally I will go through the trouble to maintain IRR entries any day vs letting humans break stuff. As is usual with most things, it's not black and white. It's a sticky position that some major providers find themselves in. A lot of customers do not maintain their IRR objects or even have them at all. The traction would have to come from the provider themselves in a lot of cases, but then customers are apt to complain when a major provider registers 'their' routes on an IRR ... kinda like a dog peeing on a hydrant, some customers tend to think registration means a kind of ownership claim. -Steve
Re: email virus == over the top
Even they don't like you dude ... the sources are forged ... :) -Steve * neal rauhauser said: No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: user@cisco.com user@tacnet.com user@wcom.com user@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember. I hate to rub it in, but I've got fifty days of uptime on everything I'm responsible for and the only reason it isn't a hundred and fifty is due to me taking them down for an OS upgrade. root 1 0.0 0.1 5520 ?? ILs 3Jul03 0:01.56 /sbin/init -- Windows is a question presented to each of us. Some find their answer here == http://freebsd.org
Re: ebgp-multihop
* Tim Rand [EMAIL PROTECTED] [030227 16:39]: Hi - I have searched the archives but have not found an answer to my question - is there any danger in using excessively high TTL values with ebgp-multihop? For example, neighbor x.x.x.x ebgp-multihop 255 - 255 is generally much higher than needed, but is there any risk/danger ?? Thanks in advance. - Tim There is a potential for blackholing traffic should you be dual (or multi) homed and if the ebgp-multihop session were able to re-establish over another path. Better to keep it close to what you'd expect your maximum number of hops to be to reduce the potential for undesirable modes. -Steve
