Re: Assigning IPv6 /48's to CPE's?
Tim Franklin wrote: On Thu, January 3, 2008 3:17 pm, William Herrin wrote: In my ever so humble opinion, IPv6 will not reach significant penetration at the customer level until NAT has been thoroughly implemented. Corporate information security officers will insist. Here's the thing: a stateful non-NAT firewall is automatically less secure than a stateful translating firewall. Why? Because a mistake configuring a NAT firewall breaks the network causing everything to stop working while a mistake with a firewall that does no translation causes data to flow unfiltered. Humans being humans, mistakes will be made. The first failure mode is highly preferable. Only assuming the nature of your mistake is 'turn it off'. I can fat-finger a 'port-forward *all* ports to important internal server', rather than just '80/TCP' pretty much exactly as easily as I can fat-finger 'permit *all* external to important internal server' rather than just '80/TCP'. Which failure mode is more acceptable is going to depend on the business in question too. If 'seconds connected to the Internet' is a direct driver of 'dollars made', spending a length of time exposed (risk of loss) while fixing a config error may well be preferable to spending a length of time disconnected (actual loss). I'll grant the 'everything is disconnected' case is easier to spot, though - especially if you don't have proper change management to test that the change you made is the change you think you made. Plus an ultimate 'oops, I unapplied the access-list on my internet facing interface' on a firewall should result in all traffic being blocked, at least on decent firewall... I think that's what was being talked about, no? I'm only speaking from experience on Cisco firewalls where a lower security interface cannot pass traffic to a higher level interface without explicit commands. Of course, allowing all traffic through 'by mistake' can just as easily be done with 1-to-1 static NAT configs and allowing all traffic in the access-list/firewall rule set when you are using NAT. Ultimately, someone who understands the equipment should be administering it, but we're all human and mistakes happen I suppose. I personally would not rely on NAT as an exclusive security mechanism in lieu of an actual firewall, but it works decently for most home users. IPv6 enabled SOHO devices will just need to block all ports by default. End users can open ports they need on their SOHO devices just li ke they map them today with NAT... or maybe uPnP will extend to IPv6 (or has it?) to configure firewall rules dynamically for people on their gateway? -- Vinny Abello Network Engineer [EMAIL PROTECTED] (973)940-6100 (NOC) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There is no objective reality. Only that which is measured exists. We construct reality, and only in the moment of measurement or observation. -- Niels Bohr
Re: shameful-cabling gallery of infamy - does anybody know where it went?
Scott Weeks wrote: --- [EMAIL PROTECTED] wrote: - From: Justin M. Streiner [EMAIL PROTECTED] Note that telcos are not immune to shoddy cabling/installation work. snip http://www.cluebyfour.org/~streiner/mbr-pop-2000-ladder.JPG Do that at the telco in Hawaii and you won't be working here very long. ;-) The installation work and wiring here is something to swoon over. One of the stranger things a field tech of ours encountered wasn't necessarily bad wiring (although it's not great), but the fact that the demarc was located next to the toilet in the bathroom. Naturally, the constant humidity caused bad corrosion problems and other issues with their telco services. :) So as a general rule of thumb, avoid putting your telco and/or network gear next to the crapper or the services the equipment is meant to provide might also stink. http://users.tellurian.com/vabello/bathroom-demarc.jpg -- Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN Courage is resistance to fear, mastery of fear - not absence of fear -- Mark Twain
Network Solutions outage?
Did anyone else notice the withdrawal of 205.178.184.0/21? I couldn't reach Network Solutions or any worldnic.com DNS servers for at least 10 minutes from our network or any route server I tried on the Internet. All were on this /21 which was no longer being announced from any perspective I saw. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN Courage is resistance to fear, mastery of fear - not absence of fear -- Mark Twain
Re: Akamai server reliability
At 01:39 PM 11/28/2005, Roy wrote: Hi, Many moons ago, we got a set of Akamai servers. Over the years I think they replaced every one of them at least once. Last August we got a another set of servers due to a move and now two of those three servers have failed. I still have the original server that started garlic.com in production after 11+ years so I know servers can last a long time. I don't understand why Akamai failure rates are so high Is anyone else seeing high failure rates of Akamai servers at their facilities? Out of the total three Akamai servers we have, I think we've had two of them replaced in the past three or four years that we've had them. One was replaced several times. The replacement servers tend to be refurbished and I've seen multiple things wrong with them when they arrive. If I recall correctly, one replacement wouldn't even boot successfully... Just kept crashing. Reloading the OS from an Akamai recovery CD had no affect. Shipping does cause problems whereby the parts can come loose during transit. The most common problem we see is failed hard drives and/or SCSI bus errors which are likely related to the hard drive failures. I'm surprised Akamai doesn't have any hardware RAID with hot swap yet (at least not in the boxes we have). It would be much less costly for them to ship a new hard drive than a whole new server each time a hard drive fails. I know the idea is to have very cheap boxes in clusters, but I wonder how much they're paying in shipping for replacing the cheap hardware. As of late, we've had no known problems with our Akamai boxes. That one box does occasionally have weird SCSI hangs where the other two work nonstop. For the most part it is fine though. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN Courage is resistance to fear, mastery of fear - not absence of fear -- Mark Twain
RE: Switch advice please - followup
At 02:39 PM 7/22/2005, Nicole wrote: The sad part is I hate Cisco. Well I hate IOS. It is the most counter intuitive interface known to man. Really? I find Cisco's CLI in IOS to be one of the best out there and very intuitive. After years of working on Cisco routers and mostly CatOS on Catalyst switches, when I started using IOS on Catalyst switches, it made a lot more sense to me (than CatOS did at first) and I was able to pick it up very quickly. CatOS makes sense in it's own right, but I still prefer IOS. Maybe it's just the years of using it that make me feel at home. :) We currently have several 3550's and one that is still partially brain dis-functional after a senior network engineer at a hosting facility got a-hold of it to help out. And that's the switch's or an IOS fault? ;) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN Courage is resistance to fear, mastery of fear - not absence of fear -- Mark Twain
Re: AOL scomp
At 08:17 AM 3/1/2005, Jim Segrave wrote: On Thu 24 Feb 2005 (12:40 -0500), [EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 12:28:58 EST, Matt Taber said: It's too bad that about 1/3 of the reported mails are valid opt-in lists. Proof that any network management or security or anti-spam scheme that implies end users with functional neurons is doomed from the get-go. I don't understand this complaint - we process AOL TOS Notifications daily and I find perhaps 1 in a hundred or so are not valid complaints. I can attest that we do not see the same here as you are seeing (1 in 100). I'd agree more with the 1/3 being stupid AOL users reporting regular messages that were either forwarded from their own account that we host to their AOL account or mailing lists that they signed up for as spam. In fact, I read an interesting email last night that was from AOL scomp because someone with an AOL email address was tired of arguing with someone else they know via email so they just reported it as spam... not realizing that we get a copy of it and are now privy to a personal feud among family members or friends. sigh The majority of them though, are messages from lists that they signed up for themselves and don't understand how to get off the list (despite the fact it's written at the bottom of every message to the list with a link). If you run some high volume lists you'll start seeing dumb reports from AOL scomp. My impression is that many AOL users think that feature is for deleting mail. I've not seen AOL software in years, but maybe if AOL put some sort of warning when they submit these messages... Maybe it's just the user base @ AOL that our mail servers deal with. :) Otherwise, I think that it can be helpful in identifying issues. Just my $0.02. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN Courage is resistance to fear, mastery of fear - not absence of fear -- Mark Twain
Re: AOL scomp
At 03:08 PM 2/24/2005, Matthew Crocker wrote: Due to AOL scomp and SPF we have stopped forwarding all together. Existing accounts are grandfathered and we are working on migrating them all to IMAP-SSL. ALL new accounts have to IMAP their mail from our servers. I get WAY too much junk from forwarded mail going to AOL. I also get way too many tech support calls about forwarded mail being rejected because of SPF -Matt Forwarded mail shouldn't be rejected as a result of SPF if your mail server is using SRS to rewrite the from addresses in the mail from part of the SMTP transaction of the forwarded emails... as long as your SPF record isn't messed up of course. :) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN Courage is resistance to fear, mastery of fear - not absence of fear -- Mark Twain
Re: The Cidr Report
At 02:52 PM 2/12/2005, Fredy Kuenzler wrote: Alexander Koch wrote: I am not sure doing it the Swisscom way (they filter a lot) is the way to go, yet I would be curious how many routes they currently carry for a full route set. Ah, here it is: - route-views.oregon-ix.netsh ip bg su | incl 3303 164.128.32.11 4 3303 3351176 140593 74037481 0 0 2w2d 69713 - Since you mentioned it: http://www.ip-plus.net/technical/route_filtering_policy.en.html Additionally you might want to see the slides of André Chapuis' presentation held at SwiNOG #7: http://www.swinog.ch/meetings/swinog7/BGP_filtering-swinog.ppt Pro's and con's, of course. But I guess Swisscom is still living with 128 Meg ;-) If that list is current, they're also living without connectivity to many networks on the Internet (entire /8's missing). ;) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: What HTTP exploit?
At 11:07 AM 5/31/2004, Mike Nice wrote: It seems to be another stupid Microsoft Exploit that just causes annoyance for Unix Boxes. The only side effect is they fill my dmesg logs with signal 11's from apache crashing. Am I the only one that sees the irony that Apache seg faults from an attack aimed at Msoft?! I mentioned that too to the original poster, but they didn't seem that concerned since Apache respawns itself. I thought if it can be crashed by cramming too much info into a buffer before it's truncated, that's considered a buffer overflow. I'm no programmer and may be off base here but it just struck me as odd also. You're not alone Mike. :) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: disabling SMTP
At 07:20 AM 3/29/2004, Rob Nelson wrote: when smtp fixup is on (default on many older pixes, i gather that there may be some improvements on newer pixes), the smtp banner is mostly obscured by * characters. the intent is a classic security by obscurity play, to hide the type and verison of the MTA behind the pix. Okay, so this is a problem when an SMTP server is hosted behind the PIX? I thought the fixup statements were for outbound connections, and with it on right now I get the full banner from SMTP servers. I don't host an SMTP server myself, so can't check that. SMTP fixup is for hosts behind the firewall. That is after all what it's trying to protect (in theory) by mangling the SMTP protocol. :) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Counter DoS
At 02:25 AM 3/11/2004, Gregory Taylor wrote: After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno. Plus imagine an attack originates behind one of these devices for some reason attacking another device. It'll just create a massive loop. :) That would be interesting. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: eBGP, iBGP, injecting networks
Well, you sort of can with confederations (internally) but the external view is still the single advertised ASN. At 07:10 PM 2/20/2004, william(at)elan.net wrote: Note - I got confused by the subject and everything myself. The routes you have locally would not be from IBGP but just directly through IGP (i.e. OSPF or EIGRP etc). I don't think you can really do IBGP if routers are not configured with the same ASN. On Fri, 20 Feb 2004, william(at)elan.net wrote: Ok. The way I read this is that you're redundant as far as one of your upstream links going down - it'd not cause complete meltdown as that router that had that link would still be announcing that space to the other router (over EBGP) and then to the net. What you're worrying then is what happens if actual router is down, right? But that begs the question of how you're getting the routes that router is announcing in the first place. Is it coming from some other edge router (that is also talking over local net to your 2nd core router)? If so each of your routers has complete local routes table through IBGP and you are not announcing it all because you're using static network statements in BGP config. In that case my suggestion would be to drop EBGP connection between routers and have each router announce entire ip space but put up 'as-path prepend' statements with the other adding the other router's ASN for routes that you want to be considered as being primary from that other router. Now exact configuration suggestion would depend on what hardware the routers are, i.e. is it cisco, etc. P.S. I've never been in situation of having to merge two ASN's or in situation you describe, so possibly people who have would have better suggestions. On Fri, 20 Feb 2004 [EMAIL PROTECTED] wrote: greetings list, hoping someone can hook me up on the right way to do this. --- we have two ASN's we control. we have two border/edge routers (1 in each ASN) that talks to a different backbone provider. the two border routers peer with eachother over eBGP and also are in the same OSPF process. (we are working to merge them into the same BGP ASN) my question is this: how do we achieve router redundancy between these two routers? currently if we lose a transit link, the traffic will flow fine out the other pipe. but we don't have BGP network statements in router 2 that exist in router 1 and we don't have BGP network statements in router 1 that exist in router 2. so the routes injected into BGP from router 1 will get withdrawn right if router 1 dies? is it a problem to announce the same networks from two different eBGP peers to two different upstreams? -- if you are still reading, thanks! to clearify some more- current setup: current setup: ASN 1 (we're not Genu!ty- just using for an example) :) ASN 1 injects all of its own space and announces this space to Above.net and ASN 2 ASN 2 injects all of its own space and announces this space to Savvis and ASN 1. so stuff out on the net looks like: 1 6461 etc etc and 1 2 6347 --- 2 6347 etc etc and 2 1 6461 etc etc --- so, you see we are prepending on of our AS's on the way out. the problem is tho, we only have 1 router in each respective Autonmous System injecting address space. if we lose that router, we lose announcing that ASN's space. is it totally going to cause probs to have routes originating from two different AS's? routing loops would be a real drag. what about having an iBGP router in AS 1 inject the same space as the border router in AS 1? this other router also peers with AS 2 thanks a lot! jg Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Interesting BIND error
At 05:31 PM 2/12/2004, Brian Bruns wrote: On Thu, February 12, 2004 4:52 pm, Brian Wallingford said: We've been seeing the following on all of our (9.2.1) authoritative nameservers since approximately 10am today. Googling has turned up nothing; I'm currently trying to glean some useful netflow data. Just wondering if this is local, or if others have suddenly seen the same. Seems harmless enough, but the logging is eating a disproportionate amount of cpu. Feb 12 16:25:07 ns1 named[3150]: internal_send: 244.254.254.254#53: Invalid argument Its possible that someone is spoofing UDP packets to your nameserver from that IP range (which is IANA reserved space). It looks like BIND is refusing to send to that address, and thus the error. At least, IMHO. So I could be wrong :) Someone is likely using relays.monkeys.com on their mail server which is resolving against your DNS server. It is a now defunct blacklist. They changed all their records to resolve to 244.254.254.254 in order to get people's attention and get them to stop using the service. You should filter 240.0.0.0/4 on your BIND servers anyway. Alternatively, you can just create an authoritative zone for relays.monkeys.com on your servers and leave them blank except for required records like SOA and NS. There is a small discussion going on about this on the bind9-users list and this information is strictly pulled from there. You might want to check that list out or similar ones for more information. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 11:51 AM 10/9/2003, Chris Boyd wrote: On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote: http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course. The domain name is vano-soft.biz, and looking up the address, I get Name:vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9 A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others can change every 2 minutes. If you identify the server that only changes every 2 hours and track what it's replaced with every 2 hours, you're likely to find a rotating list of master servers... Another question is why is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 2 hours and submitting those to the GTLD servers. Maybe it's just me, but that's the first time I've seen a registrar set such a low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if the information is invalid listed on their whois server. They might have a credit card transaction although that too could always be a stolen credit card number. Any other ideas or different angles/experiences? ; DiG 9.2.2 +trace a vano-soft.biz. ;; global options: printcmd . 80336 IN NS l.root-servers.net. . 80336 IN NS m.root-servers.net. . 80336 IN NS i.root-servers.net. . 80336 IN NS e.root-servers.net. . 80336 IN NS d.root-servers.net. . 80336 IN NS a.root-servers.net. . 80336 IN NS h.root-servers.net. . 80336 IN NS c.root-servers.net. . 80336 IN NS g.root-servers.net. . 80336 IN NS f.root-servers.net. . 80336 IN NS b.root-servers.net. . 80336 IN NS j.root-servers.net. . 80336 IN NS k.root-servers.net. ;; Received 449 bytes from 216.182.1.1#53(216.182.1.1) in 40 ms biz.172800 IN NS A.GTLD.biz. biz.172800 IN NS B.GTLD.biz. biz.172800 IN NS C.GTLD.biz. biz.172800 IN NS D.GTLD.biz. biz.172800 IN NS E.GTLD.biz. biz.172800 IN NS F.GTLD.biz. ;; Received 228 bytes from 198.32.64.12#53(l.root-servers.net) in 270 ms vano-soft.biz. 7200IN NS NS1.UZC12.biz. vano-soft.biz. 7200IN NS NS2.UZC12.biz. vano-soft.biz. 7200IN NS NS3.UZC12.biz. vano-soft.biz. 7200IN NS NS4.UZC12.biz. vano-soft.biz. 7200IN NS NS5.UZC12.biz. ;; Received 223 bytes from 209.173.53.162#53(A.GTLD.biz) in 150 ms vano-soft.biz. 120 IN A 200.80.137.157 vano-soft.biz. 120 IN A 12.229.122.9 vano-soft.biz. 120 IN A 12.252.185.129 vano-soft.biz. 120 IN A 165.166.182.168 vano-soft.biz. 120 IN A 193.92.62.42 vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. ;; Received 287 bytes from 204.210.76.197#53(NS4.UZC12.biz) in 130 ms Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
At 12:01 PM 10/9/2003, McBurnett, Jim wrote: - -I found one of these today, as a matter of fact. The spam was -advertising an anti-spam package, of course. - -The domain name is vano-soft.biz, and looking up the address, I get - -Name:vano-soft.biz -Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, -193.165.6.97 - 12.229.122.9 - -A few minutes later, or from a different nameserver, I get - -Name:vano-soft.biz -Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, -12.229.122.9 - 12.252.185.129 - -This is a real Hydra. If everyone on the list looked up -vano-soft.biz -and removed the trojaned boxes, would we be able to kill it? - ---Chris I got : Canonical name: vano-soft.biz Addresses: 165.166.182.168 193.92.62.42 200.80.137.157 12.229.122.9 12.252.185.129 I think even if we get all the ones for this domain name today, assuming we can muster even man hours to get it today, another 5000 will be added tomarrow. And looking at my list We have US(a very small ISP and a large ISP) RIPE, and LACNIC. I wonder if the better question should be: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? That is what it will take to slow this down, and then only if ALL of ISP's do it. This not only affects this instance but global security as a whole. Just a few days ago, Cisco was taken offline by a large # of Zombies, I am willing to say that those are potentially some of the same compromised systems. Thoughts? Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 12:53 PM 10/9/2003, you wrote: On 9 Oct 2003, at 12:19, Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. Hosting a server looks very similar to using an ftp client in active mode, playing games over the network or using a SIP phone to the network. Enumerating all permissible servers and denying all prohibited ones arguably requires an unreasonable shift of intelligence into the network. Allowing inbound connections by default and blocking specific types of traffic reactively has been demonstrated not to be an adequate solution, I think. A more aggressive policy of blocking all inbound connections (and analogues using connectionless protocols) essentially denies direct access between edge devices, which implies quite an architectural shift. I think it's more complicated than prevent residential users from hosting servers. Absolutely, and I was just referring to certain things, not all inbound access. I mentioned before that it doesn't really make much sense with web hosting because the port can easily be changed so it's not very effective at all. Blocking people from hosting mail servers that receive mail and can't send mail directly could be enforced much more easily than the web example so my original thought doesn't really apply all that much to web stuff, but then again I stated I didn't say that IS the solution to anything. Just a thought that's been kicked around forever that we've all heard. :) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Worst design decisions?
At 08:57 AM 9/18/2003, David Lesher wrote: Speaking on Deep Background, the Press Secretary whispered: Hello all, Was doing some upgrades on a UBR7246 (to a VXR), and I got to thinking about short sighted design considerations. I was curious if any of you had some pet peeves from a design perspective to rant about. I'll start with a couple. 1) The slide lock on transceiver cables. 2) Intel's+IBM's 640K wall. 3) IDE addressing standards. (We've been through the 528 MB, 2.1 GB, 4.2 GB, 8.4 GB caps what's next?) Are you asking? :) It would by my count be the 137.4GB limit of LBA28 which was already corrected with LBA48 if your motherboard supports it. Maybe you haven't had to use an IDE drive that large yet. ;) There may have been another limitation in there on IDE that I'm missing in some form... As a sidenote, MS (in trying to phase out FAT32 in favor of NTFS) started limiting the creation of FAT32 drives allowing a maximum of only 32GB in Windows 2000, but that doesn't really bother me. :) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Worst design decisions?
How about MB chipset fans which always seem to fail! I avoid any mobo with a chipset fan if possible. This is still commonplace and I still see them fail all the time. At 09:09 AM 9/18/2003, Ryan Dobrynski wrote: I have beef with every chasis designer that has ever left a sharp edge hidden deep inside thier case of doom just waiting to gash some poor IT guy in a most unpleasent manor.. also ASUS who insists on putting thier onboard sound interface at the BOTTOM of the MB when they know that the little cable you get with the cdrom is half the length of the board. you end up with an analog audio cable thats stretched tight and now in the way of all your PCI slots... /rude Ryan Dobrynski Hat-Swapping Gnome Choice Communications Like the ski resort of girls looking for husbands and husbands looking for girls, the situation is not as symmetrical as it might seem. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: What do you want your ISP to block today?
At 02:51 PM 9/3/2003, Sean Donelan wrote: On Wed, 3 Sep 2003, Johannes Ullrich wrote: I just summarized my thoughts on this topic here: http://www.sans.org/rr/special/isp_blocking.php Overall: I think there are some ports (135, 137, 139, 445), a consumer ISP should block as close to the customer as they can. If ISPs had blocked port 119, Sobig could not have been distributed via USENET. Perhaps unbelievably to people on this mailing list, many people legitimately use 135, 137, 139 and 445 over the open Internet everyday. Which protocols do you think are used more on today's Internet? SSH or NETBIOS? Some businesses have create an entire industry of outsourcing Exchange service which need all their customers to be able to use those ports. http://www.mailstreet.net/MS/urgent.asp http://dmoz.org/Computers/Software/Groupware/Microsoft_Exchange/ If done properly, those ports are no more or less dangerous than any other 16-bit port number used for TCP or UDP protocol headers. But we need to be careful not to make the mistake that just because we don't use those ports that the protocols aren't useful to other people. Even on Windows they can be used in a much safer fashion (although I would never attempt it for any of my stuff). It is possible to use IPSec policies on 2000 and higher to encrypt all traffic on specified ports to specified hosts/networks and block all other traffic. I bet some people are using this to join remote locations securely to each other for Windows networking with these ports and IPSec policies. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Its not just Spam and DDOS anymore (was Re: OT: Re: User negligence?)
At 11:25 AM 7/27/2003, Rob Thomas wrote: Hi, NANOGers. ] Folks, its not underground any more. The criminals are using trojans ] to steal real money from real people now. Indeed, and for a while (circa five months by my observation) now. It is no longer, and hasn't been for a while, about technology. The technology - the Internet and the connected devices - has become a conduit for profitable criminal activity on an ubiquitous scale, pure and simple. Miscreants don't break into databases and steal 8M credit cards at a pop so they can card shells and shoes. ] Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue. I'll slightly modify that statement; it is a *PEOPLE* issue. People who write code. People who use systems and networks. People who abuse all of the above for monetary gain. babble I think people forget that we don't live in a utopian society. Some people expect computers to solve all the problems and expect that they can prevent crime in their own domain. We haven't eliminated physical crime at all so I don't see why people are surprised to find that a computer was used to commit a crime. Bank robberies take place all the time and you don't here much about them. Probably more similar is fraud which has taken place for a countless amount of time without the use of computers. Using computers is just another way to perpetuate it. I do agree with a lot of people in the fact that users of the tool must be informed of how to use it safely, just like anything the person is not 100% familiar with. It's somewhat common knowledge to not leave bank account numbers lying around for anyone to see. It's not as common for people who are unfamiliar with computers to know not to open unknown attachments, run anti-virus software, use a firewall, etc... Would the average driver know how to handle an 18 wheeler? They could probably get it going, but not safely. People must be educated about using computers, ESPECIALLY if it is in a situation where security is elevated because the company has something valuable to protect. A bank teller wouldn't likely let a client behind the counter, yet many would probably open an attachment sent via email without knowing what it is. I know the average end user probably isn't likely as aware about security using their PC in their home, but if banks and other institutions plan on making their services available online in some manner, perhaps they should at least send out occasional best security practices to protect people's information. I can also see that it's not REALLY their problem either so I could also go the other way on this. Just like a bank is not responsible for someone breaking into your house and stealing your checkbook. /babble Just my 2¢. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Its not just Spam and DDOS anymore (was Re: OT: Re: User negligence?)
Forgive my typo... here = hear. My brain isn't functioning yet this morning and I am just typing what I hear in my head. ;) It's a Sunday morning. :P At 11:45 AM 7/27/2003, Vinny Abello wrote: At 11:25 AM 7/27/2003, Rob Thomas wrote: Hi, NANOGers. ] Folks, its not underground any more. The criminals are using trojans ] to steal real money from real people now. Indeed, and for a while (circa five months by my observation) now. It is no longer, and hasn't been for a while, about technology. The technology - the Internet and the connected devices - has become a conduit for profitable criminal activity on an ubiquitous scale, pure and simple. Miscreants don't break into databases and steal 8M credit cards at a pop so they can card shells and shoes. ] Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue. I'll slightly modify that statement; it is a *PEOPLE* issue. People who write code. People who use systems and networks. People who abuse all of the above for monetary gain. babble I think people forget that we don't live in a utopian society. Some people expect computers to solve all the problems and expect that they can prevent crime in their own domain. We haven't eliminated physical crime at all so I don't see why people are surprised to find that a computer was used to commit a crime. Bank robberies take place all the time and you don't here much about them. Probably more similar is fraud which has taken place for a countless amount of time without the use of computers. Using computers is just another way to perpetuate it. I do agree with a lot of people in the fact that users of the tool must be informed of how to use it safely, just like anything the person is not 100% familiar with. It's somewhat common knowledge to not leave bank account numbers lying around for anyone to see. It's not as common for people who are unfamiliar with computers to know not to open unknown attachments, run anti-virus software, use a firewall, etc... Would the average driver know how to handle an 18 wheeler? They could probably get it going, but not safely. People must be educated about using computers, ESPECIALLY if it is in a situation where security is elevated because the company has something valuable to protect. A bank teller wouldn't likely let a client behind the counter, yet many would probably open an attachment sent via email without knowing what it is. I know the average end user probably isn't likely as aware about security using their PC in their home, but if banks and other institutions plan on making their services available online in some manner, perhaps they should at least send out occasional best security practices to protect people's information. I can also see that it's not REALLY their problem either so I could also go the other way on this. Just like a bank is not responsible for someone breaking into your house and stealing your checkbook. /babble Just my 2¢. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
re: rfc1918 ignorant
I agree... The only problem is if you filter all inbound RFC 1918 and inadvertently block ICMP messages from their routers on rfc1918 space. That could potentially cause issues with network connectivity related to MTU, etc... At 08:59 AM 7/23/2003, Dave Temkin wrote: Is this really an issue? So long as they're not advertising the space I see no issue with routing traffic through a 10. network as transit. If you have no reason to reach their router directly (and after Cisco's last exploit, I'd think no one would want anyone to reach their router directly :-) ), what's the harm done? RFC1918 merely states that it shouldn't be routed on the global internet, not that it can't be used for transit space. --- Is there a site to report networks/isps that still leak rfc1918 space? By leaking I not only mean don't filter, but actually _use_ in their network? If someone is keeping a list, feel free to add ServerBeach.com. All traceroutes to servers housed there, pass by 10.10.10.3. traceroute to www.serverbeach.com ... 20. 64-132-228-70.gen.twtelecom.net 21. 10.10.10.3 22. 66.139.72.12 Kind Regards, Frank Louwers -- Openminds bvbawww.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium -- David Temkin Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Oh where, oh where has Comcast gone
I actually noticed this morning when trying to check my mail that their mail server is now SSL capable out of the blue. Interesting... At 03:45 AM 6/24/2003, Matt Hess wrote: Well, I do know, as a customer, they are going through a large att - comcast.net transition period right now.. they even left a poorly thought out automated message on my answering machine to let me know that on june 30th they plan on royally screwing up everything.. now naturally they didn't say that but that message sure didn't leave much room for any hope of contacting support that week if need be.. John R Levine wrote: I saw a bunch of mail to comcast.net bouncing, so I figured I'd check to see if maybe their mail servers were misconfigured or something. Holy petunias, they've imploded into private network space. It appears that the glue records in the GTLD servers are OK, but ns02 is returning the 172.30 address which, since it's authoritative for itself, overwrites the good data. Tsk, tsk. I suppose that's one way to cut down the amount of spam they get. $ dnsqr ns comcast.net 2 comcast.net: 76 bytes, 1+2+0+0 records, response, noerror query: 2 comcast.net answer: comcast.net 4929 NS ns01.jdc01.pa.comcast.net answer: comcast.net 4929 NS ns02.jdc01.pa.comcast.net $ dnsqr a ns01.jdc01.pa.comcast.net 1 ns01.jdc01.pa.comcast.net: 59 bytes, 1+1+0+0 records, response, noerror query: 1 ns01.jdc01.pa.comcast.net answer: ns01.jdc01.pa.comcast.net 4923 A 172.30.0.16 $ dnsqr a ns02.jdc01.pa.comcast.net 1 ns02.jdc01.pa.comcast.net: 59 bytes, 1+1+0+0 records, response, noerror query: 1 ns02.jdc01.pa.comcast.net answer: ns02.jdc01.pa.comcast.net 4919 A 172.30.0.17 Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner More Wiener schnitzel, please, said Tom, revealingly. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Pesky spammers are using my mailbox
At 02:39 PM 5/31/2003, you wrote: On Sat, 31 May 2003, Stephen J. Wilcox wrote: seems some spammers are using one of my personal domains as the from field in their emails, the local-part being random so I cant easily block it. Has anyone any advice on tracking them down and making them stop? Tactical baseball bat at close range? :) I and a number of coworkers are getting similar bounces, except the spammers are actually using our full email addresses as the from address. The first few cases of this, I wrote off to things like KLEZ...but recently I've gotten actual spam bounces where my work email address was the original from. I suppose it could possibly still be something like KLEZ and it's grabbing a spam from their inbox and sending that out with a forged from. There are known spamming viruses making their rounds that I believe behave like klez and others that use known email addresses. A couple of our customers have been infected by them and have had their computers unknowingly sending out spam. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Verizon mail server on MAPS RSS list
At 03:59 PM 3/27/2003 -0500, Richard Welty wrote: On Thu, 27 Mar 2003 13:40:00 -0700 Josh Gentry [EMAIL PROTECTED] wrote: We've got customers trying to receive email from people using Verizon for Internet acess, and we are rejecting that mail because out013pub.verizon.net [206.46.170.44] is on the MAPS RSS list. Can't pull up the MAPS RSS website at the moment to check why. Anyone know contact info for Verizon for this kind of issue? maps RSS is open relays. try the abuse.net relay tester on the BL'd IP and see what it turns up, http://www.abuse.net/relay.html Looks like that IP is on quite a few lists actually... http://rbls.org/?q=206.46.170.44 Must be a very abused Verizon mail server, possibly one of many... Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: 13,000 Bank of America ATM's taken out by virus.
At 03:23 PM 1/25/2003 -0800, Patrick wrote: On Sat, 25 Jan 2003, Christopher J. Wolff wrote: Does this mean that BofA ATM's are SQL based or that BofA is running ATM traffic through some kind of internet VPN? Perhaps they just plug the ATM's into any connection and pass cleartext transactions over the internet? This is very suspicious, IMHO. At $previous_employer half the connections to the various banks they had were via VPN. I know of a bank whose consultants are blithering idiots. The lack of security baffles my mind. My home network is 10 times more secure than what I've been told about. :( I'd hate to think that this is fairly common among banks but I'm starting to wonder... The only positive thing that has come out of their lack of security is that I know one place not to put any of my money. :P Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: UUNET Routing issues
The only thing I've noticed is high latency between UUNet and Sprint (around 2 second latency) in at least one traffic exchange point between them, maybe more. Probably because of the diversion of traffic on UUNet's network. At 04:30 PM 10/3/2002 -0400, Matt Levine wrote: On Thursday, October 3, 2002, at 04:07 PM, Chris Adams wrote: Once upon a time, [EMAIL PROTECTED] [EMAIL PROTECTED] said: There still seem to be problems. Earlier today CHI-ATL was 2000ms. Now it's improved to 1000ms. 9 0.so-5-0-0.XL2.CHI13.ALTER.NET (152.63.73.21) 24.466 ms 24.311 ms 24.382 ms 10 0.so-0-0-0.TL2.CHI2.ALTER.NET (152.63.68.89) 24.467 ms 24.349 ms 24.454 ms 11 0.so-3-0-0.TL2.ATL5.ALTER.NET (152.63.101.50) 1029.484 ms 1049.529 ms 1063.692 ms 12 0.so-7-0-0.XL4.ATL5.ALTER.NET (152.63.85.194) 1106.067 ms 1118.102 ms 1132.124 ms We're a UUNet customer (we also have other connections), and we haven't really seen any big problem today. We're connected to Atlanta, and I see: snip We haven't seen anything unusual on our UU circuit in PHX, either. -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- Matt Levine @Home: [EMAIL PROTECTED] @Work: [EMAIL PROTECTED] ICQ : 17080004 AIM : exile GPG : http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x6C0D04CF The Trouble with doing anything right the first time is that nobody appreciates how difficult it was. -BIX Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Re: Sprint (1239) blackhole ? Or bogus /32 route ?
PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Re: Sprint (1239) blackhole ? Or bogus /32 route ?
Yep, you're right. Looks like they might blackholing the /32 with a null route on their network somewhere. At 01:35 PM 9/26/2002 -0400, Mike Tancsa wrote: At 01:31 PM 26/09/2002 -0400, Vinny Abello wrote: Looks like something isn't right... I see the announcement from Sprint with an AS path of 1239 852 11647, but it never gets past one of the routers on Sprint's network. I have no problem going through Cable and Wireless: Yes, and the strange thing is that is just one IP address :-( 199.212.134.9... If you try 199.212.134.1 I bet you can get to it via sprint. Type escape sequence to abort. Tracing the route to smtp2.sentex.ca (199.212.134.9) 1 63-121-101-106.focaldata.net (63.121.101.106) [AS 18984] 0 msec 0 msec 0 msec 2 acr2-so-3-3-0.newyork.cw.net (206.24.193.153) [AS 3561] 0 msec 4 msec 0 msec 3 agr4-loopback.newyork.cw.net (206.24.194.104) [AS 3561] 4 msec 0 msec agr3-loopback.newyork.cw.net (206.24.194.103) [AS 3561] 4 msec 4 dcr1-so-7-2-0.newyork.cw.net (206.24.207.73) [AS 3561] 4 msec dcr1-so-6-2-0.newyork.cw.net (206.24.207.57) [AS 3561] 0 msec dcr1-so-7-3-0.newyork.cw.net (206.24.207.77) [AS 3561] 4 msec 5 telus-services-inc.newyork.cw.net (206.24.207.90) [AS 3561] 24 msec 24 msec 20 msec 6 toroonnlbr00.bb.telus.com (154.11.11.130) [AS 852] 20 msec 24 msec 20 msec 7 toroonzddr00.bb.telus.com (154.11.6.67) [AS 852] 24 msec 24 msec 20 msec 8 peer.toroonzddr00.bb.telus.com (209.115.141.5) [AS 852] 28 msec 28 msec 32 msec 9 iolite.sentex.ca (209.112.4.3) [AS 15290] 24 msec 24 msec 24 msec 10 smtp2.sentex.ca (199.212.134.9) [AS 11647] 28 msec 24 msec 32 msec I would contact Sprint. Good luck! Thanks, I did. Responder robot said they would try to get back to me in 72hrs :-( ---Mike Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Re: IP over in-ground cable applications.
At 02:28 PM 9/12/2002 -0700, [EMAIL PROTECTED] wrote: Christopher J. Wolff wrote: Can anyone recommend a method for integrating TCP/IP with an existing analog cable television network. Yes Chris, it's called DOCSIS. I would think that a CIO of a company named Broadband Labs would have a lab in which to experiment with cable. My current thoughts on this are to digitize the satellite video into mpeg2 and deliver it over TCP/IP through the in-ground cable. What about the neighborhoods with above-ground cable, how would you deliver service to them? What does above-ground vs. below ground have to do with delivering MPEG2?? I have digital cable with MPEG2 video, my cable Internet access (DOCSIS compliant), and analog cable stations even though the cable in my neighborhood is underground (as are all the utilities) and immediately outside my neighborhood by the main road all the utilities appear to go back up onto poles to get anywhere. It might just be a misleading illusion but I think it runs above ground to get to the cable company's office as do the phone lines which I know for a fact. The cable company that services the area where I work is talking about rolling out digital cable soon and all of the people in their service area have above ground utilities including cable. Am I obsessing and were you just being sarcastic or is there a technical reason why you stated this? Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
.mil domain root only hosted by one server??
I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more. These are the results I got when I queried A.ROOT-SERVERS.NET: ; DiG 9.2.1 @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mil. IN A ;; AUTHORITY SECTION: mil.86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400 ;; Query time: 390 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 15:38:58 2002 ;; MSG SIZE rcvd: 90 I'd like comments from anyone with more information on this. I'm just curious as to why it is this way and what the reasoning behind it is. Maybe I'll email hostmaster.nic.mil and ask. ;) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Re: .mil domain root only hosted by one server??
Ooops... My apologies (before I get slammed). I forgot the query type of NS in my dig. ; DiG 9.2.1 @a.root-servers.net ns mil. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 11 ;; QUESTION SECTION: ;mil. IN NS ;; ANSWER SECTION: mil.86400 IN NS E.ROOT-SERVERS.NET. mil.86400 IN NS PAC2.NIPR.mil. mil.86400 IN NS CON1.NIPR.mil. mil.86400 IN NS B.ROOT-SERVERS.NET. mil.86400 IN NS A.ROOT-SERVERS.NET. mil.86400 IN NS EUR1.NIPR.mil. mil.86400 IN NS PAC1.NIPR.mil. mil.86400 IN NS H.ROOT-SERVERS.NET. mil.86400 IN NS G.ROOT-SERVERS.NET. mil.86400 IN NS CON2.NIPR.mil. mil.86400 IN NS EUR2.NIPR.mil. ;; ADDITIONAL SECTION: E.ROOT-SERVERS.NET. 360 IN A 192.203.230.10 PAC2.NIPR.mil. 86400 IN A 199.252.155.234 CON1.NIPR.mil. 86400 IN A 199.252.175.234 B.ROOT-SERVERS.NET. 360 IN A 128.9.0.107 A.ROOT-SERVERS.NET. 360 IN A 198.41.0.4 EUR1.NIPR.mil. 86400 IN A 199.252.154.234 PAC1.NIPR.mil. 86400 IN A 199.252.180.234 H.ROOT-SERVERS.NET. 360 IN A 128.63.2.53 G.ROOT-SERVERS.NET. 360 IN A 192.112.36.4 CON2.NIPR.mil. 86400 IN A 199.252.173.234 EUR2.NIPR.mil. 86400 IN A 199.252.143.234 ;; Query time: 500 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 16:07:56 2002 ;; MSG SIZE rcvd: 412 That's better. :) Go back to your regularly scheduled threads. At 03:04 PM 8/21/2002 -0500, you wrote: On Wed, Aug 21, 2002 at 03:46:22PM -0400, Vinny Abello wrote: I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more. These are the results I got when I queried A.ROOT-SERVERS.NET: ; DiG 9.2.1 @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mil. IN A ;; AUTHORITY SECTION: mil.86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400 U. The SOA MNAME field is always a single server. bastet[~]$ dig +short mil ns @g.root-servers.net PAC1.NIPR.mil. H.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. CON2.NIPR.mil. EUR2.NIPR.mil. E.ROOT-SERVERS.NET. PAC2.NIPR.mil. CON1.NIPR.mil. B.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. EUR1.NIPR.mil. bastet[~]$ -Pete Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Routers vs. PC's for routing - was list problems?
I would have to say for any Linux/BSD platform to be a viable routing solution, you have to eliminate all moving parts or as much as possible, ie. no hard drives because hard drives will fail. Not much you can do about the cooling fans in various parts of the machine though which routers also tend to have. Solid state storage would be the way to go as far as what the OS is installed on. You have to have something to imitate flash on the common router. Otherwise, if you can get the functionality out of a PC, I say go for it! The processing power of a modern PC is far beyond any router I can think of. I suppose it would just be a matter of how efficient your kernel, TCP/IP stack and routing daemon would be at that point. :) At 10:48 PM 5/22/2002, you wrote: On Wed, 22 May 2002, Andy Dills wrote: From the number of personal replies I got about these topics, it seems like many people are interested in sharing information about how to do routing on a budget, or how to avoid getting shot in the foot with your Cisco box. Routing on a budget? Dude, you can buy a 7200 for $2 grand. Why bother with a linux box? Heh, at least use FreeBSD :) Before the dot com implosion, they weren't nearly that inexpensive. The average corporate user will also need smartnet (what's that on a 7200, a K or a few per year?) for support, warranty, and software updates. Some people just don't appreciate being nickled and dimed by cisco and forced to either buy much more router than they need, or risk ending up with another cisco boat anchor router when the platform they chose can no longer do the job in the limited memory config supported. I have a consulting customer who, against my strong recommendation, bought a non-cisco router to multihome with. It's PC based, runs Linux, and with the exception of the gated BGP issue that bit everyone running gated a few months ago, has worked just fine. It's not as easy to work with in most cases, but there are some definite advantages, and some things that Linux actually makes easier. They'd initially bought a 2621 when multihoming was just a thought, and by the time it was a reality, 64mb on a 2621 couldn't handle full routes. The CW/PSI depeering (which did affect this customer, as they were single homed to CW at the time and did regular business with networks single homed to PSI) was proof that without full routes, you're not really multihomed. -- -- Jon Lewis *[EMAIL PROTECTED]*| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Re: Routers vs. PC's for routing - was list problems?
At 04:17 PM 5/23/2002 -0400, you wrote: I agree with you on that. Hot swapability for various interfaces is something routers obviously have over PC's. Hot swap PCI is old news. True, but not widely implemented in the standard PC market. If you want a server that has hot swap capability, you're likely paying a premium price for a lot of extra other features. It's not something you can typically just build yourself, and if you can you'll need a case that allows you easy access to swap the PCI cards. By the time you pay for an enterprise level server with this capability, I would rather have put the money towards a good router. True... unless going for 64 bit PCI at 66MHz... still it's obvious that routers are designed for one simple purpose and generally have larger backplanes to handle that. However, $ for $, even when buying used cisco gear at 80% off from dot-booms, a PC router will outperform any traditional router. At what speeds though? As you get into the higher gbic speeds, a PC doesn't have the backplane to cut it. Now if we're talking raw processing power, a PC can blow away a router in calculations per second any day. :) I agree a router is probably more efficient in just routing packets, but in complex filtering or traffic manipulation/packet sniffing, a PC might have the edge. :) Yes, ipfw/dummy is very very cool. Like, inducing a few 100 msecs of latency to folks who don't pay on time :) Hehehehe... Interesting approach. I find it more fun to just shut them off. It makes them take you more seriously. Unfortunately I would say only a small percentage of users, may 20% or so would even notice the latency issues if they were having them. They're more likely to complain about slow transfer speeds. That is even more fun and can be done on any traditional Cisco... Traffic shaping is cool but hindered by being limited to controlling outbound traffic on an interface. Rate limiting even more fun. Hmm... [exceed action drop] Why is there so much damn packet loss on my connection when I put traffic across it??? ;) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN