Re: Anyone from Verio here?
Just going off your email address/domain, it occurs to me that your problem may in fact be far to leet for the likes of nanog to handle. Have you tried an efnet oper? They have far superior leetness, and quite likely a little more time on their hands. One of them may also own that botnet, so you'd be hitting two birds with one stone. - billn On Wed, 16 Apr 2008, Jake Matthews wrote: I've sent repeated emails to [EMAIL PROTECTED]/com/*, no response yet. There is an IRC DDoS bot on EFnet actively attacking users - and has been for quite a while, as you can see from the signon date. I am one of those being hit - any idea how to "take care of it?" g is [EMAIL PROTECTED] * sharon stone g on @#tcp @#ping @#nsa.gov @#london @#jupe @#dust g using irc.wh.verio.net ooh omnipotence. mm yes gotta get me some of that. g actually using host 81.19.98.235 g has been idle 2mins 12secs, signed on Thu Apr 03 23:53:18
Re: Superfast internet may replace world wide web
On Mon, 7 Apr 2008, Glen Kent wrote:
> says the solemn headline of Telegraph.
> .. and we in Nanog are still discussing IPv6! ;-)
It's because we don't have a hadron demolition derby to power our American
interwebs:
"The power of the grid will be unlocked this summer with the switching
on of the Large Hadron Collider (LHC)."
-Bill
OT: vendor spam
Anyone seen spam from Uplogix.com? As it came to this email address, which I don't give to vendors for exactly this reason, I'm suspecting it's been harvested from this list or maybe c-nsp, the only other list I'm active on, for sporadic amounts of active. Has anyone else seen this? I'd like to verify the source before I add nails to the clue-by-four. - billn
Re: NXDOMAIN data needed for survey
[ disclaimer: i work for opendns. ] On Fri, Mar 21, 2008 at 05:53:15PM -0400, Martin Hannigan wrote: > > I think it's best that we let David Ulevitch and the crew @ OpenDNS make > > the money that is to be made off this. He's doing good while doing well. > > Why shouldn't anyone be able to "make the money"? The problem with > that post wasn't that he was advocating law breaking, it was that it's > a marketing missive and inconsistent with community norms, IMHO. That > doesn't mean that it's illegal, and it certainly doesn't mean it's ok > for one "good guy" to be allowed to profit and one unknown not to. > Setting classes of who can profit from NXDOMAIN data creates > unfairness in the system and it should be all or none. now that our name has been brought into this, i think it's only fair to say: the NXDOMAIN data we know about is when a user's resolver asks our recursive servers for a record and NXDOMAIN is the end result of what our resolvers discover. at that point, we optionally point you at a lander page w/ search results and ads and all that jazz based on the words in the record you [mis-]typed. note the optionally. if you want, we'll just return NXDOMAIN. you can configure this. you can configure it per-ip, per-prefix, etc. now, on to what we do or could do with that data: we do not sell and have never sold NXDOMAIN data. nor do we register domains based on NXDOMAIN information. the non-OpenDNS company who sees the original request that produced the NXDOMAIN that failed (which may or may not even be a valid hostname) is our advertising partner. they get that data after we've transformed the original request into their API to send to them as keywords so they may return appropriate and relevant ads. so, to recap: nope, we don't sell NXDOMAIN data. we don't sell any other data either. yes, some revenue comes from typos/mistakes. you knew that already. yes, you can even change that behavior and just get NXDOMAIN. that means your typos gain us nothing. you get our service for free. yes, you opt-in to our service in the first place. yes, we have a privacy policy that says this better than i can. > What you really want to look at is privacy policy. Not all of the good > guys are actually good guys in that respect. http://www.opendns.com/privacy/ it looks pretty good to me. i read it before i agreed to employment. -- billf >at< opendns.com // opendns network engineering p.s. since i rarely if ever post, i have to make the shameless, shameless plug: <[EMAIL PROTECTED]>. we're in peeringdb too.
Re: do you know how to dump packet to see vlan info
You can use the 8021q module in linux, and the vlan tools to run an interface as a dot1q trunk. I'm not sure off-hand about the other distributions, but under Debian you just need the 'vlan' package. modprobe 8021q ifconfig eth1 up vconfig add eth1 ifconfig eth1. netmask Configure your switch port to trunk mode, tag your vlans onto it, et voila. This will give you a presence in as many broadcast domains as you decide to tag. - billn On Wed, 19 Mar 2008, Jon R. Kibler wrote: ann kok wrote: Hi all I am using linux as router to connect to switch do you know how to dump packet to see vlan info? Thank you You won't see vlan info unless you are on a trunking port. Jon Kibler
Re: Kenyan Route Hijack
On Sat, Mar 15, 2008 at 9:09 PM, Glen Kent <[EMAIL PROTECTED]> wrote: > Unlike the Youtube outage where PTA had issued a directive asking all > ISPs to block Youtube - What is the reason most often cited for such > mishaps? The reason i ask this is because the ISPs that > "inadvertently" hijack someone elses IP space, need to explicitly > configure *something* to do this. So, what really are they trying to do > there? I've seen two popular reasons for doing it accidentally - Fat fingers when configuring IP addresses by hand - Using old routing protocols such as IGRP or RIP and autosummarizing routes, usually done by a customer of an ISP that doesn't bother filtering carefully. This doesn't give you a /24 address by accident, but it lets you take two /24 subnets of a Class B or Class A and turn them into an advertisement for the whole network. A popular reason from longer ago was enterprises that used arbitrary addresses for their internal networks, which was safe because they'd never be connected to the real internet. RFC1918 has made that problem mostly go away, but as recently as 1995 I had a customer who was a bank that was using University of Toronto IP addresses internally. We were working on their databases, not their networks, so while we strongly recommended they renumber some time soon, it wasn't happening during our project. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Routing Loop
7018 is still seeing announcements from 6461, and the Oregon Routeviews server route-views.routeviews.org also sees many announcements from different ISPs seeing it announced from 6461. The whois entry for Above.net lists the NOC as RTechHandle: NOC41-ORG-ARIN RTechName: AboveNet NOC RTechPhone: +1-877-479-7378 RTechEmail: [EMAIL PROTECTED] On Sat, Mar 15, 2008 at 1:10 AM, Felix Bako <[EMAIL PROTECTED]> wrote to NANOG > > Hello, > Guyz please try to reach my network 194.9.82.0/24 from your networks. > Am seeeing routing loops from several looking glasses. > above.net, Alameda.net. but from traceroute.eu. the block comes down ok. > Kindly anyone assist. > -- > > Best Regards, > > Felix Bako > Network Engineer > Africa Online, Kenya > Tel: +254 (20) 27 92 000 > Fax: +254 (20) 27 100 10 > Email: [EMAIL PROTECTED] > Aim:felixbako -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: load balancing and fault tolerance without load balancer
NANOG really isn't the forum for this kind of conversation. That said, look into devices like Alteons, or open source solutions like Balance-NG. Even Apache can be used for this with something like mod_proxy. Good luck. - billn On Sat, 15 Mar 2008, Joe Shen wrote: hi, we plan to set up a web site with two web servers. The two servers should be under the same domain name. Normally, web surfing load should be distributed between the servers. when one server fails, the other server should take all of load automatically. When fault sever recovers, load balancing should be achived automatically.There is no buget for load balancer. we plan to use DNS to balance load between the two servers. But, it seems DNS based solution could not direct all load to one server automatically when the other is down. Is there any way to solve problem above? we use HP-UX with MC-Service Guard installed. thanks in advance. Joe __ Tired of visiting multiple sites for showtimes? Yahoo! Movies is all you need http://sg.movies.yahoo.com
Re: NANOG laptops (was Re: Customer-facing ACLs)
On Sun, 9 Mar 2008, Randy Bush wrote: > and i lived through duo, hinote, viao, thinkpad, alienware, and now mac. > i keep the alienware because it has real graphics, 1920x1024, as > opposed to the mac. There was a guy from Amazon at the San Jose meeting who'd transplanted an ultra-high-resolution 15" LCD into his MacBook Pro, after the original one had cracked. I _think_ it was 1280x2048, but I'm not sure I'm remembering accurately. The pixels were too fine for me to see, no matter how close I looked. He said the connector and bolt-positions were identical, but it had required that he compile a new driver before it worked. -Bill
Re: NANOG laptops (was Re: Customer-facing ACLs)
> Macbook Pro (all of IANA (with one recent exception) use Macs of one form > or another). All of PCH uses MacBook Pros. Except Gaurab, who uses a MacBook Air. :-) > > In the good ole days it seemed like 99% were PCs & maybe a couple were > > reinstalled with some form of unix, > > I remember the 'good old days' a bit differently -- folks were indeed > using PCs (Digital HiNote Ultras and hten Sony Vaio 505TXs) but > reinstallation was the norm. Maybe it was just to crowd I hung out with... In the good _old_ days, before the HiNotes, everybody used Duos, then the HiNotes with FreeBSD, then the Vaios started creeping in, then the Titanium PowerBooks came out. -Bill
RE: Area Social Activity
Given that the last reported water temperature in Monterey was 52.9F, I think there will be more drinkers than divers. - billn On Thu, 14 Feb 2008, Rod Beck wrote: I am suggesting a Certified Drinkers Event in the hotel bar Sunday evening. -Original Message- From: [EMAIL PROTECTED] on behalf of Owen DeLong Sent: Thu 2/14/2008 3:36 PM To: North American Network Operators Group Subject: Area Social Activity Sorry for the short notice. For anyone coming to NANOG early who is a certified SCUBA DIver, I'll be diving in Monterey (about 1 hour drive from San Jose) Saturday and Sunday. If you're interested in joining me, send an email off-list. Owen DeLong Open Water SCUBA Instructor (PADI)
Re: Another cablecut - sri lanka to suez Re: Sicily to Egypt undersea cable disruption
More productively, there are real concerns with the cable routing around India and Pakistan. Connections across Egypt have geographical constraints that are probably more significant than the political ones, but having most of the connectivity into western India going into Mumbai and not Cochin or Bangalore and only having one drop into Pakistan are risks that ought to be fixed. In large part they're a heritage of telecomms monopolies, and are theoretically fixable, but both countries are at some risk until they do something about it.
Re: Another cablecut - sri lanka to suez Re: Sicily to Egypt undersea cable disruption
On Feb 1, 2008 2:37 PM, Steven M. Bellovin <[EMAIL PROTECTED]> wrote: > > (either that, or the backhoe operators' union has decided there's > > better money to be made on water than on land.) Guys named Bubba can get fishing licenses just as easily as backhoe drivers' licenses. One of my customers in the forestry business ran their own cables along their railroad tracks, and every year during hunting season they'd have problems with guys named Bubba shooting at birds on the cables at bridge crossings. > Yah. I'm a security guy, and hence suspicious by nature -- our slogan > is "Paranoia is our Profession" -- and I'm getting very concerned. The > old saying comes to mind: "once is happenstance, twice is coincidence, > but the third time is enemy action". My business card often says "Technical Marketing", which means I'm supposed to have some wide-grinning explanation about sychronicity of root causes; obviously this is some problem with ship navigation software not using the correct GPS datum, so it's a common-mode operator-interface error that's not the fault of either the telcos or Vendor C's or J's equipment. Funny how Iran's just accidentally fallen off the net, though. I forget the French and Arabic equivalent names for Bubba, but I still think it's him and Murphy. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Cost per prefix [was: request for help w/ ATT and terminology]
Right now we rely on ARIN and the RIRs to artificially suppress the growth of the prefix count and with it the availability of PI space. If we can determine the cost to announce a prefix then we could develop a market-based solution to the problem... instead of suppressing the prefix count, we GET PAID for announcing and propagating prefixes. Right now, we rely on our appetites to tell us when we're full, and should stop eating tasty sammitches. If we can determine the cost of obesity, then we could develop a market-based solution to the problem... instead of eating less, we GET PAID for eating tasty sammitches! Not sure this one holds together, when viewed at the macro-level. Note that this is my first posting of the morning, is probably crustier than average, and should most likely be ignored. -Bill PGP.sig Description: This is a digitally signed message part
Re: Network Operator Groups Outside the US
On Wed, 16 Jan 2008, Phil Regnauld wrote: > Note that Scandinavia doesn't have anything formal network operator > meeting either, even though it's a very active area. Patrik, Kurtis, et al organized a few NordNOGs; I think there were three of them, but it didn't seem to get much traction outside of Sweden, and I think they got tired of being the only ones pushing it forward. -Bill
Re: Looking for geo-directional DNS service
On Tue, 15 Jan 2008, Hank Nussbacher wrote:
> The Ultradns (now Neustar) Directional DNS service is based on
> statically defined IP responses at each of their 14 sites so there
> is no proximity checking done.
Yes, and that's how anycast works: it directs traffic to the
_topologically nearest_ server. So as long as there's a DNS server
topologically near your data server, your users will get the topologically
nearest of your servers. Which is why so many content folks _do_ roll
their own: to ensure fate-sharing between the DNS traffic which
effectively selects the data server, and the eventual data traffic.
If you're doing things on the Internet, instead of the physical world,
topological distance is presumably of much greater interest than whatever
geographic proximity may coincidentally obtain.
-Bill
Re: Asymmetrical routing opinions/debate
There's the somewhat trivial efficiency that if you're willing to accept asymmetric routing, you spend a lot less time tweaking your networks than if you insist on symmetry, and the more significant issue that the network will usually be more resilient and reliable (though slightly less predictable) if you're not tweaking it. Essentially, if you don't control all the parts of the network that your packet uses, you're not able to directly set optimization parameters, so what you're doing to get symmetry is throwing lots of hints at the network and hoping some will stick, and the parts of the network that happen to cooperate with you may not be the best ones that are otherwise available.
Re: [admin] Using the NANOG list as a paging mechanism
Normally these requests are looking for somebody who's operational and has a clue, and therefore aren't intended for me (:-), but IMHO they're_really_ not a problem. They're almost always short, and have Subject: lines that indicate what they're about, so it's easy to skip over them based on the Subject: line, and Gmail thinks I have 6.5GB of remaining quota space so it's not even worth the effort of deleting them. Sometimes they're even about issues like getting through the AOL email-rejection loop that are useful to multiple people. It's operational and de minimus.
Re: [admin] Using the NANOG list as a paging mechanism
On Fri, 4 Jan 2008, Patrick Clochesy wrote: I think the "page" is going to the list because the sender does not know the contact for the site, and the list provides a good way to find someone to handle the request... the intended recipient of the page being a north american network operator :) We could come up with a list or an updateable site, but it's bound to be abused and thus ignored, the same reason people arn't sending to abuse@ and postmaster@ in the first place. I think the reason such a site doesn't exist already is because it's a spam seed. Nanog lists are archived, aren't they? Searching for a user from a specific domain might net more immediate results, in some cases, provided the search result doesn't have a timestamp of 2005 or older. - billn
Re: Network Solutions domain transfer lock policy?
On Mon, 19 Nov 2007 17:59:11 -0500 Deepak Jain <[EMAIL PROTECTED]> wrote: > Is anyone aware of this as a kosher activity and is anyone aware of > any other registrars doing it? Keep in mind, these are legitimate > contact changes and not suspicious in anyway. I personally do not think it's kosher, but I do know that GoDaddy has been doing this for quite some time. It's one of the many reasons I no longer do business with them. -- Bill Thompson [EMAIL PROTECTED] signature.asc Description: PGP signature
Re: VLANs
On Tue, 13 Nov 2007, Christopher Morrow wrote:
> There was once a customer at a past job that used a sacrificial T1 to
> do this... They'd just announce/next-hop the attacked thing to the T1
> interface, apparently remembering that there was BHR community
> available (and config'd for them) was hard to do.
Zocalo didn't do this with UUNet, but did with several transit providers
and peers who didn't have such communities.
-Bill
Re: [admin] Errors to NANOG list subscribers take II
On Fri, 9 Nov 2007, Jay R. Ashworth wrote: > On Fri, Nov 09, 2007 at 11:11:28AM -0500, Martin Hannigan wrote: > > On Nov 9, 2007 11:00 AM, Bill Nash <[EMAIL PROTECTED]> wrote: > > > Given the serious impact this is having on operations, does this have a > > > master ticket number or escalation id of some type? Has the vendor been > > > involved yet? When can we expect to see a post mortem/RFO? > > > > Try not to get overly ridiculous here. The updates are to keep people > > informed that everyone on the back end cares. > > Now, see, Bill, I could've *told* you that humor would be too dry for > Martin. :-) > > Cheers, > -- jra > For those scoring on technique or style, I call that one 'Shooting the Moon'. =) - billn
Re: [admin] Errors to NANOG list subscribers take II
Given the serious impact this is having on operations, does this have a master ticket number or escalation id of some type? Has the vendor been involved yet? When can we expect to see a post mortem/RFO? - billn On Fri, 9 Nov 2007, Martin Hannigan wrote: > > Dear Colleagues: > > As you know, we are all seeing a single mailer message show up in our > mailboxes at ~0330/est on a daily basis. We are aware that this is > on-going. > > The issue is being actively worked on by the admin team at Merit and a > resolution is forthcoming. Since the message happens once a day, it's > understandably difficult to make a best effort determination that a > fix will take hold. There isn't a test or dev system to try out > solutions. > > This problem has been assigned a reasonable priority by the folks at > Merit and we hope to see it fixed soon. Thanks to all who have let us > know about this. > > Best Regards, > > Martin Hannigan > NANOG MLC Member >
Could a earthlink e-mail admin please contact me off list
Greetings, Could a earthlink e-mail admin please contact me off list, or someone that could get me in contact with one. Thanks, Bill Sehmel -- Bill Sehmel -- [EMAIL PROTECTED] -- 1-206-438-5900 x4302 Systems Administrator, HopOne Internet Corp. SEA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.netASN 14361
Re: Hey, SiteFinder is back, again...
When Verisign hijacked the wildcard DNS space for .com/.net, they encoded the Evil Bit in the response by putting Sitefinder's IP address as the IP address. In theory you could interpret that as damage and route around it, or at least build ACLs to block any traffic to that IP address except for TCP/80 and TCP/UDP/53. But if random ISPs are going to do that at random locations in their IP address space, and possibly serve their advertising from servers that also have useful information, it's really difficult to block. Does anybody know _which_ protocols Verizon's web-hijacker servers are supporting? Do they at least reject ports 443, 22, 23, etc.? In contrast, Microsoft's IE browser responds to DNS no-domain responses by pointing to a search engine, and I think the last time I used IE it let you pick your own search engine or turn it off if you didn't like MS's default. That's reasonable behaviour for an application, though it's a bit obsequious for my taste.
Re: OT: Vendors Using NANOG for a Sales Channel
On Fri, 26 Oct 2007, Scott Weeks wrote: > I would suggest that no one should buy from vendors who get email > addresses from NANOG or other technical mailing lists. It will only > encourage them to do it more and ruin the value of the mailing list in > question. > > You obviously haven't had the experiences that some have had with sales > folks that use this method. Some are like the little Chihuahua that > won't quit trying to hump your leg. No matter how many times you tell > them you're not going to "do it" they keep trying. > > However, the company in this case did redeem themselves and I respect a > company like that. Which is to say, they were one of the few that apologised. The recurring theme is that it's always a rogue salesperson who didn't know better, or some overzealous marketing person. I'd agree with Scott on this point, that you shouldn't buy from vendors who do this, but ultimately, it's not going to change the way they behave. Over the course of my entire career, I've never been a fan of salespeople, because they do what they're supposed to do: whatever they can to make money. In our particular field, it cuts both ways, because they're either hassling you to buy something, or your own salespeople are selling something you can't support or don't even offer. It's the kind of thing that probably won't change until someone whips out one of the spam laws and sues a couple people over it, or engages in executive carpet bombing. Either way, it's always going to be a temporary reprieve until it gets out of hand again. It'd be churlish of NANOG, as an organization, to organize blacklists and boycotts, and probably even shooting itself in the foot because some vendors may actually be offering something worthwhile, but is there any other real solution? How often do people take the time to ask any given salescritter how they came by contact info? - billn
Re: Abovenet OC48 down
> Does anyone actually believe that an ISP could know that they've got an
> OC48 down, but not which one it was?
That would pretty much be determined by how much MPLS tomfoolery was
involved.
-Bill
Re: How Not to Multihome
On 10/8/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > That brings up an interesing point. My biggest fear was that one of my > other customers could possible be closer to me that the ISP that provides > the primary link and it would cause them to favor the backup link because of > AS path. I think they are going to fight me on this and telling them to > multihome to their original ISP would probably be frowned upon at this > point. I was hoping that there was an RFC for multihoming that I could use > to bail myself out. What they're asking to do is really Just Fine. It may or may not accomplish what they want, depending on how they do it, e.g. whether traffic will go through their other ISP or yours. The main reason it's a Not Best Practice is that it often doesn't get what the user wants, e.g. the user only has a /29, so only the aggregate advertisement from their primary ISP works anyway, or it's PA space so they'll still have to give it up if they change ISPs. But if they've got a /24, that's big enough that most carriers will see it these days, and there's no need to clutter up the BGP ASN space if your user doesn't need the extra flexibility. There may even be a market for ISPs to do multihoming on a cabal basis, e.g. Carrier X and Carrier Y get a /20 that they assign routes from to customers that use both of them, but only advertise the aggregate to the rest of the net. They'd still need to handle the more specific routes internally and exchange them across their peering link, but wouldn't have to bother the rest of the net with that level of detail. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Why do some ISP's have bandwidth quotas?
On 10/4/07, Hex Star <[EMAIL PROTECTED]> wrote: > Why is it that the US has ISP's with either no quotas or obscenely high ones > while countries like Australia have ISP's with ~12gb quotas? > Is there some kind of added cost running a non US ISP? One early US cable modem company started propagating the "Don't Let Customers Run Anything Resembling a Server" meme to many other ISPs, primarily cable but also DSL. One early Australian cable company started propagating the "Don't Let Customers Download More than X MB/month" meme, and while it hasn't been picked up as widely, there are a number of ISPs that have adopted it. At one time Australia did have a relatively small amount of Internet bandwidth and a large non-data-clueful dominant carrier, which had only gradually been bullied into accepting that there were data customers who wanted an E1 line because they wanted the whole 2Mbps for one medium-sized data channel as opposed to 30 channels of boringly slow 64kbps (perceived by the carrier to be blazingly fast...) So they charged their users a lot to download data from outside; I forget if they were the ones who had a cheaper rate for data downloaded from inside Australia or not. But outside the Land of Oz, it used to be that European PTTs also charged excessive amounts of money for connections around their countries or across borders. That's changed radically with liberalization. And of course Japan and Korea charge minimal amounts for huge home broadband bandwidth - Korea has about triple the population of Australia, in much smaller land area, and while it's not quite as far from Silicon Valley as Australia is, and of course it's much closer to Tokyo, it's still got to cost a bit to run the cables there. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Long-haul protected services: (was: Re: Bee attack, fiber cut, 7-hour outage)
On 9/21/07, Deepak Jain <[EMAIL PROTECTED]> wrote: > However, when I see "Location of Maintenance: France" and a 5 minute > outage for a protected SONET service on a supposedly redundant, high > quality International voice/data network... well, let's just say I'm not > impressed -- on 36 hrs notice, no less. > > I can't do anything with respect to an SLA since there is advanced > notice, but isn't it reasonable to assume that in this day-and-age > running a properly protected T3 isn't *that hard* anymore > Especially in advance -- you know, shunt the traffic to one your other > circuits because, you know, you are supposed to have this massive network. Typically for a service like that, the carrier would have one or more long-haul rings, either SONET or DWDM with the SONET on top of it or something, interconnected to access rings from a local access carrier at each end, either close to the customer endpoint or possibly back at regional interconnects. The long-haul carrier might not control the local access carrier except through an SLA, so it could be that the local carrier messed up. One hopes that the interconnections between the networks are also at diverse POPs (at least for big countries like France), but it is possible for the interconnections to fail clumsily. The "shunt the traffic to other circuits" approach is naively correct, but I've seen more than one case of "discover that one side of an access ring has failed by shunting the traffic from the other side to do maintenance and having a customer call you a couple of minutes later to report an outage at their headquarters", which is absolutely never supposed to happen, of course :-) What a 5-minute outage sounds like to me is "The early-90s T3-based restoration system recovered the circuit on an end-to-end basis using DACSs instead of SONET restoring it", but I'd be surprised to see than happening at a newer carrier like Vendor L who built most of their network after SONET technology became affordable. Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Market for diversity
On 8/26/07, Jason LeBlanc <[EMAIL PROTECTED]> wrote: > More on point for this thread, I always have new vendors bring in fiber > maps and show me their paths. Images of the intended path specified on > the map are part of the contract, including verbage regarding failover > paths. Once I know where their fiber is, I can look for another vendor > that takes a different path. This often won't get you the most cost-effective connections, and sometimes it'll be bad for performance as well, and doesn't always take advantage of available technology. For instance, if Carrier 1 and Carrier 2 both use the same route for their primary connection, and you buy from Carrier 1 because they're 5% cheaper, you may find that Carrier 2's second-best route is a lot more expensive that Carrier 1's. If you're buying from two carriers to get equipment diversity as well as route diversity, you've lost. Another kind of problem I've run into in the past - here in California, to get from SF to LA, you can either go down the coast or down the Central Valley, depending on which railroads or highways you like. But there's another route that takes a railroad connection from SLO (middle of the coast) to Bakersfield (south/middle of the valley), and if your primary connection uses that route, the options for diverse routes go through Salt Lake City or Denver. Given the history of what fiber got built when, you'll find that for some speeds many of the carriers use that crossover route, while for lower speeds there's a lot more choice. >From a technology standpoint, a lot of carriers are starting to use intelligent optical switches that give them automated provisioning, automatic reroutes, etc., so while they can show you where their cable routes are, and where the most likely provisioning and reroutes go, in general you can't get a precise guaranteed route, because that's not what the switches do. > What I find hard to combat are M&A changing operations over time, In general, it's hard for one carrier to keep track of diversity (though some can), and much much harder for two carriers to keep diverse from each other. And the tracking problems scale differently for large connections, where you may build custom access rings, than for small connections where most providers are reselling telco last-mile copper. There's also the problem of diversity philosophy - it's not uncommon for large East-Coast companies to view equipment diversity as the critical problem, and concentrate their switches into a smaller number of larger sites where they can do cost-effective sparing, and have their fiber spread out across many different physical routes, not remembering that customers in the West Coast expect that buildings just fall down sometimes, so they care about building diversity, and geographical and demographic considerations mean that there are only a few good routes across the Rockies and along the coasts. (Of course, sometimes this means that the West Coast customers buy from multiple carriers to get building diversity and _still_ get caught when a telco DACS fails :-) Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: [policy] When Tech Meets Policy...
> > On 8/15/07, Barry Shein <[EMAIL PROTECTED]> wrote: > > > > I am not sure tasting is criminal or fraud. ... > Well, not all of us agree that these ad-only pages are particularly a > problem. They're certainly not necessarily criminal or fraudulent > except by some stretch. There are different applications for domain tasting out there, with different levels of legitimacy. Some of them will go away if you reduce the amount of refund they get for returning the name; some won't. -- Actual mistakes - probably not many of these, and in a corporate environment it's ok if a company has to pay $6 for their mistake; they're going to end up spending more money handling the invoice in most cases. As other people have pointed out, for individuals, getting stuck paying the current $6 fee is a lot less annoying than the old $35 fee if you've made a mistake, but it's possibly useful to have some incentive for the user to return the name if they genuinely made a mistake, such as being one letter away from a popular web site in a country whose language the user doesn't speak or violating a trademark they'd never heard before. -- Ad-banner tasters - They're hoping to make money by littering the domain name space with content-free material, which is not criminal or fraudulent, just rude. Ostensibly you could get rid of them by requiring web pages to have real content, but not only would that require enforcement by humans (yeah, right), but it's trivially easy to generate pages with Not Much Content as opposed to no content at all, if nothing else by putting a boilerplate wiki page there and pretending that you've got real users who just haven't shown up yet. The way to get rid of these guys is to charge money for the pages, i.e. don't force the registrars to return their entire registration fee, and possibly have ICANN keep their US$0.20 cut of the funds even if the customer returns the name. That won't get rid of all of them - some will even be willing to pay the whole $6 - but it'll cut down on most of the ankle-biters. -- Phishers trying to hide - They're not providing ad-banner-only pages, they're providing web forms that look very much like Example-Bank.Com's web site, or are Cyrillic-font variants on Paypal, etc., and they use domain tasting so they can collect hits from suckers for a couple of days and then make their records disappear by returning the name. Charging a restocking fee is less important here - if the phisher's succesful they'll make more than enough to pay for it, unlike the typo-squatters - but there ought to be some requirement to keep the registration information around in case anybody wants to investigate it later, even if it turns out to be bogus information registered from a random zombie's IP address. -- Fast-flux spammers trying to hide _and_ save money - They're also playing the game of keeping a domain name up for a short time so that mail gets delivered and then shutting it down to cover their tracks, as well as serving the DNS and web page information from a bunch of different zombies. (Not all of them do domain tasting - depends on the state of the anti-spammer arms race - but it does let them save $6 for a name they're only going to need for a couple of days before the spam filters cut their response rates down.) According to the Council for Made-Up Statistical Information, getting rid of free domain tasting will get rid of 90-98% of the ad-banner domain tasters, making it easier to track the actual bad guys and laugh at the couple of people who made legitimate mistakes. It also makes it a bit easier to provide reliable alternatives to standard DNS transmission - a back-of-the-envelope estimate I did a couple of years ago said you could multicast all of the DNS root/.com/.net/.org information in near-real-time in about 56kbps, except for the domain tasters, which would make it easy for ISPs and possibly end users to maintain reliable caching servers even if the main DNS root servers were under attack. You'd need a bit more than that today, but it wouldn't be that hard if you could eliminate the tasters (I suppose only transmitting information for domains that were registered for more than a week would do that, and you might need to limit TLDs to weekly, so sites that wanted to use DNS load-balancers would need to put them in www.example.tld instead of just example.tld.) Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: For want of a single ethernet card, an airport was lost ...
On 8/18/07, Steven M. Bellovin <[EMAIL PROTECTED]> wrote: > Did you see what the GAO found when they audited the US-VISIT network? > The summary is at > http://www.washingtonpost.com/wp-dyn/content/article/2007/08/02/AR2007080202260.html?hpid=sec-nation; > the full report is at http://www.gao.gov/new.items/d07870.pdf As usual with security, it's a tradeoff between goals, threat models, economics, and competence. While the goals of the system, as identified by the GAO, include a brief phrase about "facilitate legitimate travel and trade", the rest of the report appears to entirely ignore it. It focuses on attackers, and bad guys trying to get in, and the closest the report gets to anything about reliability or business continuity is a bit about preventing attackers from carrying our denial of service attacks.Given the ability of one bad network card to take down the network, and given a set of operational plans that keeps incoming international travelers confined to their airplanes for hours at an airport the size of LAX which handles a lot of connections between international and domestic or other international flights, it appears that the designers of both the technical and operational sides are also ignoring the goal of facilitating legitmate travel and trade. I can't say I'm surprised, either. While treating travellers well probably won't be one of their goals until there's a major change in government philosophy, perhaps they can improve service by anthropomorphizing those evil terrorists named "Father Time", "Murphy", "Router Bugs", and "Bubba the Backhoe Driver". Certainly the operational side didn't have processes for supporting travellers with reasonable-looking papers in the event of a computer failure. About two decades ago there was a network failure that took out all three New York City area airports, caused by one guy with wire cutters who was in the wrong manhole in Newark. If they FAA had a set of dial backup modems at each of the airports, they could have worked around it, but they believed strongly that the shared civilian infrastructure wasn't reliable enough and they needed to have dedicated systems just for air traffic control. Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: iPhone and Network Disruptions ...
> > Cisco, Duke has now come to see the elimination of the problem, see: > > "*Duke Resolves iPhone, Wi-Fi Outage Problems"* at > > http://www.eweek.com/article2/0,1895,2161065,00.asp > > Since neither Apple, Cisco nor Duke seems willing to say exactly what the > problem was or what they fixed; not very surprising; it was probably a > "Duh" problem unique to Duke's network. Nope. My understanding is that it's an ARP storm, or something similar, when the iPhone roams onto a new 802.11 hotspot. Apple hasn't issued a fix yet, so Cisco had to do an emergency patch for some of their larger customers. This is just my understanding based on one conversation about it. I'd feel like an idiot saying "don't quote me" on NANOG, but... I don't have any special knowledge about it, nor personal experience of it, so... -Bill
Re: Security gain from NAT
On 6/5/07, Roger Marquis <[EMAIL PROTECTED]> wrote: Are you proposing that every company use publicly routable address space? How about the ones that don't qualify for a /19 and so are dependent on addresses owned by their upstream? This discussion evolved from an IPv6 discussion, so there's plenty of address space for everybody in the assumptions, and you can have a /48 even if a /64 is overkill. To change ISPs for example, would it be simpler to change the IP address of every node in the company or to run NAT on the gateways? Unlike the security discussions, that's one area where NAT really does make life easier for medium-large companies (either 1-1 NAT or PNAT will do.) It lets you number your internal space as 10/8, regardless of what ISP or ISPs you're using externally, so if you have to change one of your ISPs, you don't have to renumber anything except possibly a couple of externally-visible servers and gateways. Of course, that only remains true until some merger or acquisition mashes your 10/8 address space into another company's 10/8 address space , at which point you've still got work to do unless you were both careful about taking random subnets of 10/8, e.g. 10.x/16 for randomly selected x>10. Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Content provider plans
On 5/30/07, Michal Krsek <[EMAIL PROTECTED]> wrote: Few weeks ago I had interesting discussion with *unnamed* Google VIP. His answer has been: "Google engineers doesn't see need to spend money on building IPv6 infrastructure. You, as user, can motivate them by sending request supporting this idea." I see three main ways Google might use IPv6 infrastructure -- Using IPv6 for scanning IPv6-distributed web pages, at least for IPv6only pages -- Accepting search requests over IPv6 http for users who want that -- Glue, internal applications, etc. The first application is probably the most important - if there's (ostensibly, at least) content on the web that's only available via IPv6, they may still want it (though IPv4-only search engine users may not be able to get it except via Google's cache.) Internal applications might benefit from IPv6, but there's probably enough room in IPv4 10.0.0.0/8 for Google, at least for a while. IPv6 web users will need IPv6-to-IPv4 gateways for a while... Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Slate Podcast on Estonian DOS atatck
> First of it's kind that it targeted a country.
No, at the very least, Moonlight Maze and Titan Rain came before. But by
today's standards, Moonlight Maze would have been trivially small. I
don't have any numbers for Titan Rain. Anyone know how it compared to the
4mpps of this attack?
-Bill
Re: Slate Podcast on Estonian DOS atatck
On Thu, 24 May 2007, Alexander Harrowell wrote:
> a) it wasn't really that serious, b) it was serious
> but mitigation was successful, or c) being well-mitigated (BCP38 and
> the like) from the word go, its seriousness or otherwise wasn't
> obvious?
Definitely (b). The EE-CERT was remarkably well-prepared and effective,
and their counterparts around the world cooperated dilligently and
professionally. It was a very large attack.
-Bill
Re: Slate Podcast on Estonian DOS atatck
On Wed, 23 May 2007, Sean Donelan wrote: > I wonder, does this mean Estonia is now more likely to act/re-act to its > own homegrown miscreants which attack systems in other countries after > seeing the impact it had in their own country? Or is this going to remain > a case of the "bad guys" are always in some other country, not mine. By "bad guys" do you mean the bots, or the C&C? I think in non-state-actor attacks, prosecution of C&C has been reasonably good. It's the botnets that I worry about. All those people still paying Microsoft to make their machines zombies. :-/ -Bill
Re: Slate Podcast on Estonian DOS atatck
> > http://www.slate.com/id/2166749/fr/podcast/
>
> Downloading it now.
>
> John Markoff just called me for the NYT piece. Odd that it's just
hitting
> the news now, two weeks later.
http://www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html?referrer=emailarticle
-Bill
Re: Slate Podcast on Estonian DOS atatck
> http://www.slate.com/id/2166749/fr/podcast/
Downloading it now.
John Markoff just called me for the NYT piece. Odd that it's just hitting
the news now, two weeks later.
-Bill
Re: How many others are nullrouting BT?
On 11/05/07, Jo Rhett <[EMAIL PROTECTED]> wrote: On May 11, 2007, at 1:50 PM, Niels Bakker wrote: > Maybe, just maybe, they are under (British) police orders to keep > those scammers connected to gather more evidence. > > Happened in the Netherlands with an apartment full of Nigerian > scammers connected to UPC. They have refused all of the evidence we have offered to date. They refer us to the UK law enforcement. We ask for contact information for their local office, and they responded with the (fictional) address of Scotland Yard from the popular tv show. That's sarcasm, not helpfulness. It's reckless, inconsiderate behavior. It would be reckless and inconsiderate if it wasn't the correct course of action. You probably want to be in touch with the Economic and Specialist Crime unit: http://www.met.police.uk/scd/specialist_units/economic_specialist_crime.htm which appears to be based here: Metropolitan Police Service New Scotland Yard Broadway London SW1H 0BG [EMAIL PROTECTED] or call +44 20 7230 1212 Hope this helps. -- bill. (two minutes using google and the met police web site) -- Bill Hulley <[EMAIL PROTECTED]>
Re: IP Block 99/8 (DHS insanity - offtopic)
On Mon, 23 Apr 2007, Patrick W. Gilmore wrote:
> ...what has that got to do with the DHS promoting an idea to sign IP
> space allocations and/or annoucements? The idea in-and-of-itself doesn't
> sound wholly unreasonable. (I am not advocating this, just saying the
> idea shouldn't be rejected without consideration simply because the DHS
> said it.)
Exactly! This whole thread has been people arguing against a straw-man.
DHS never asked for any KSKs or anything. They're not even mentioned in
the report. HSARPA just put up some of the money to fund the drafting of
the report, as ARPA/DARPA/HSARPA have been funding miscellaneous Internet
stuff forever.
-Bill
Re: Thoughts on increasing MTUs on the internet
One of my customers comments that he doesn't care about jumbograms of 9K or 4K - what he really wants is to be sure the networks support MTUs of at least 1600-1700 bytes, so that various combinations of IPSEC, UDP-padding, PPPoE, etc. don't break the real 1500-byte packets underneath.
RE: PG&E on data centre cooling..
Fisher's not doing this now.. -b -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lasher, Donn Sent: Monday, April 02, 2007 1:49 PM To: John Kinsella; nanog@merit.edu Subject: RE: PG&E on data centre cooling.. >I sorta wonder why the default is lights on, actually...I used to always love walking into dark datacenters and seeing the banks of GSRs >(always thought they had good Blink) and friends happily blinking away. > >What we really need is a datacenter with lit floor tiles. ;) > >John(damn I've been in a DC with clear floor tiles...why didn't I think of this then?) There's at least one datacenter in Seattle that when the customer "cards" in, lights up the floor to their cabinet Been a while since I've been in it, but I remember it "USED" to do that (fisher, internap I think?)
Re: ICMP unreachables, code 9,10,13
On Wed, 28 Mar 2007, Christos Papadopoulos wrote: > My next question is about responses to ICMP pings (echo request), > when they return ICMP UNREACHABLE with codes 9,10 or 13. > > Responses with these codes seem to imply the presence of a firewall. > Is this assumption correct or are these codes meaningless? > They do have meaning, and you do see them in production (generally in traceroute responses.) These can indicate the presence of either a firewall, or an ACL. Both traffic barriers are typically configurable, and whether or not you get a response is very often dictated by how hardcore the network engineer or security engineer is about giving up information about their network. > If this a configurable parameter, how to you typically decide what > to set it to? See previous comment about relative values of hardcore. Arguably, use of these options is telling the end user things about your network configuration, including, very specifically, which device is blocking their traffic. Depending on your security stance and requirements, this may be good or bad. Personally, I simply drop the offending packets into the bitbucket and let the user wonder. - billn
Re: multiple-choice question of the day
> and here I thought there were supposed to be no political discussions on
> nanog-l :)
What, you want to rule out _all_ discussion of IPv6? :-)
-Bill
Re: Paul Vixie: Suspected Arms Dealer
> Is there something he's not telling us?
Wasn't Paul also in that movie with Kevin Bacon?
Thanks; Bill
Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.
Re: wifi for 600, alex
On 1/23/07, Perry Lorier <[EMAIL PROTECTED]> wrote: We did have a lot of problems with devices that didn't have a web browser (so had to ask us to add their macs manually, there were 11 people who had this that aren't accounted above). Mostly voip phones, but it's amazing how many people have random bits of hardware that will do wifi! Perhaps wandering off topic, but I was throwing around the idea of writing a pseudo-SIP server for registration of this kind of device - assuming that you have a second device that does have a web browser, register with that and then request to add a SIP device, it provides you with a one-off SIP "number" to call to provide the mac address. Bill
Re: BGP blackhole routers available to public?
On Fri, 26 Jan 2007, Gregory Edigarov wrote: > I was looking over the internet for them, but it seems that I would get a much > quicker answer from the list. > Can somebody show me any good public BGP blackhole routers? -- Which begs the question.. why would you deploy a public blackhole route table? - billn
Re: Colocation in the US.
Obviously convection is the best way, and I've gotten away with it a few times myself, but the usual answer to your "why not" question is "Fire codes." Convection drives the intensity and spread of fires. Which is what furnace chimneys are for. Thus all the controls on plenum spaces. But when you can get away with it, it's great. -Bill Please excuse the brevity of this message; I typed it on my pager. I could be more loquacious, but then I'd crash my car. -Original Message- From: Paul Vixie <[EMAIL PROTECTED]> Date: Thu, 25 Jan 2007 14:44:21 To:nanog@merit.edu Subject: Re: Colocation in the US. > How long before we rediscover the smokestack? After all, a colo is an > industrial facility. A cellar beneath, a tall stack on top, and let physics > do the rest. odd that you should say that. when building out in a warehouse with 28 foot ceilings, i've just spec'd raised floor (which i usually hate, but it's safe if you screw all the tiles down) with horizontal cold air input, and return air to be taken from the ceiling level. i agree that it would be lovely to just vent the hot air straight out and pull all new air rather than just make up air from some kind of ground-level outside source... but then i'd have to run the dehumidifier on a 100% duty cycle. so it's 20% make up air like usual. but i agree, use the physics. convected air can gather speed, and i'd rather pull it down than suck it up. woefully do i recall the times i've built out under t-bar. hot aisles, cold aisles. gack. > Anyway, "RJ45 for Water" is a cracking idea. I wouldn't be surprised if > there aren't already standardised pipe connectors in use elsewhere - perhaps > the folks on NAWOG (North American Water Operators Group) could help? Or > alt.plumbers.pipe? But seriously folks, if the plumbers don't have that, > then other people who use a lot of flexible pipework might. Medical, > automotive, or aerospace come to mind. the wonderful thing about standards is, there are so many to choose from. knuerr didn't invent the fittings they're using, but, i'll betcha they aren't the same as the fittings used by any of their competitors. not yet anyway. > All I can think of about that link is a voice saying "Genius - or Madman?" this thread was off topic until you said that.
For anyone who hasn't yet asked Ren for an explanation...
...of how this whole AT&T rebranding thing works, Stephen Colbert summs it
up:
http://www.youtube.com/watch?v=Bj1Mtv9cD0I&eurl=
-Bill
Prefix list formats: advice needed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Howdy. For a tool we're writing, we need to be able to accept lists of prefixes people might want to BGP advertise. We'd like to be "liberal in what we accept" and recognize lists formatted in as many ways as people think they might reasonably have. There are some obvious ones: - Delimited lists of CIDR-format addresses. This would include addresses in "slash" notation, with some punctuation or whitespace between them. That would cover a lot of hand-typed and tool- generated lists, as well as Juniper-format prefix lists. - One-address-per-line, CIDR-format, with other non-address stuff in the line. This would include Cisco ip prefix-list format, most IRR whois, and some RIR whois. - One-address-per-line, with separate address mask in normal order (ones values on the left, zeros values on the right), with other non- address stuff in the line, some of which might look like more addresses. This would include Cisco ip route statements. - One-address-per-line, with separate address mask in reverse order (zeros values on the left, ones values on the right), with other non-address stuff in the line, some of which might look like more addresses. This would include Cisco ip access-list statements. - Address-ranges, characterized by a starting address and an ending address, perhaps with a hyphen between them. This would include many older RIR whois entries. Can anyone think of any other formats people are likely to have lists of prefixes in? Thanks much, -Bill -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFqqrfGvQy4xTRsBERAt/7AKClUXCT3N5NJBGVReildfMO/xQjMACcDDDH 1EEYeKq71UiayuppDXHu3Yo= =uQ03 -END PGP SIGNATURE-
AFP article on Taiwan cable repair effort
http://news.yahoo.com/s/afp/20070112/tc_afp/asiaquakeinternet_070112170621 A few numbers to help understand the scale of the effort being applied. -Bill
Re: Phishing and BGP Blackholing
On Thu, 4 Jan 2007, Pete Templin wrote: > This "place" is full of people with opinions. Some like it hot, some like it > not. We are never going to agree on top/inline/bottom posting. > Why can't we all just get along and discuss operational issues? > Let's throw preference out the window and speak to practicality for a minute. If you're reading nanog-l from a blackberry or mobile, and paying by the byte to do so, you're either an idiot or work for a company wealthy enough not to care (My opinion.) But, even blackberry users land at a laptop or workstation at some point. 9 times out of 10, nanog chatter isn't about life-and-death critical ops outages and the like, it's people having casual discussions. Most blackberry users are on-the-go types, running from meeting to meeting or site to site. The only reason I could see such a user reading nanog is because they're bored, have some downtime, or have a fervent need to look cool at Starbucks. Much like anything else, the world will not warp and bend to your preference. As a living organism, it's up to you to adapt to your environment. Just don't be like Randy and whiz in the pool because someone did something you didn't like and we'll all get along great. - billn
Re: Phishing and BGP Blackholing
On Wed, 3 Jan 2007, Bill Nash wrote: > malicious/hacked sites. Currently, phishing sites and open proxies, make > it into blacklist, but drone network C&Cs do. Darknet is intended to Someone pointed out my typo. This should read 'phishing sites and open proxies don't make it into the blacklist'. Sorry for any confusion the may have inflicted. Drink more coffee! - billn
Re: http://cisco.com 403 Forbidden
On Wed, 3 Jan 2007, D'Arcy J.M. Cain wrote: > On Wed, 3 Jan 2007 16:39:40 + > Simon Waters <[EMAIL PROTECTED]> wrote: > [...] > > Working fine here. Resolves to 198.133.219.25 > > What does DNS resolution have to do with 403 web errors? > Determining if this is an episode of GSLB's Gone Wild. - billn
Re: Phishing and BGP Blackholing
On Wed, 3 Jan 2007, Andy Davidson wrote: > From a 'problem solving' perspective, a Team Cymru-style bgp peer that > injected very specific routes into their routing table, and matching > configuration which caused those particular routes to be dropped would be > ideal. Additions and deletions would be as close to real-time as possible. > > From a political perspective, I could only advocate to clients such a service > that had a strict policy of adding routes to addresses because of a provable > policy infringement. For example, a route for 1.2.3.4/32 would only be > announced by my bgp-blacklist peer if it could be demonstrated that a device > reachable at 1.2.3.4 was an open http proxy (or socks proxy, or smtp > relay) and not because a phishing site was hosted there. Different > priorities for different networks I guess .. disclaimer: I do development work for the company I'm about to endorse. I endorsed this product before when I was a client. I've since left my previous position and gone to work on it. This is one of the very few posts I'll ever make that's in any way representative of an employer. Mainnerve's Darknet product is exactly that: A managed blacklist of malicious/hacked sites. Currently, phishing sites and open proxies, make it into blacklist, but drone network C&Cs do. Darknet is intended to intercept traffic leaving your network to known C&Cs. Currently, this involves a device deployed to your network, that hosts a BGP peer to your network to supply the blackhole routes, redirecting the C&C traffic to the darknet device for packet analysis. I'm currently working on a newer implementation that involves just a BGP peering session and a GRE tunnel, to eliminate the hardware deployment and simplify the whole process, so it functions very much like the bogon filter. - billn
Re: Quick BGP peering question
On Wed, 3 Jan 2007, James Blessing wrote:
> Expecting the traffic is not a problem, just want some way of verifying
that the
> traffic isn't malicious/spoofed (e.g. by using unicast RPF or similar)
Is there some reason a filter wouldn't work?
-Bill
Re: Quick BGP peering question
On Wed, 3 Jan 2007, James Blessing wrote:
> Very simply : Would you accept traffic from a customer who insists on
sending 0
> prefixes across a BGP session?
Does that somehow make their money not [green,colorful,whatever]?
-Bill
Re: Phishing and BGP Blackholing
On Tue, 2 Jan 2007, Travis H. wrote: > On Tue, Jan 02, 2007 at 06:20:01PM -0700, Bill Nash wrote: > > The biggest challenge I can see is scrubbing phishing reports that > > aren't.. themselves.. maliciously crafted phishing attacks against a > > registry of such addresses. > > Can you rephrase that? I want to understand but I'm failing. If you decide to operate some sort of registry for these sites, what's to stop a user from crafting what appears to be a malicious submission, with the intent of getting someone blackholed, just for grins and giggles? Again, trust factor. > IIRC, Riverhead DoS-mitigation systems use a similar mechanism for > filtering out DoS packets en route. I think Prolexic also uses a similiar method. > Oh, and yes, even for one IP, you're still going to have collateral > damage if they're doing shared hosting, since one IP serves many > sites. The only way around this is to actually do layer 7 decoding, > but if the intruder can already set up one phishing account, I > would be hesitant to assume the other co-located sites are really > safe to browse. Well, in many of those cases, you're talking about shared hosting environments, hundreds of mom and pop sites that actually are safe to browse, but running whatever vulnerable content-management kit was provided to them that got the box popped in the first place. - billn
Re: Phishing and BGP Blackholing
Hi. You have sent a message to the entire list that seems to be some sort of automatically generated product of the Smugotron-2000, intended to annoy a single person but is actually annoying everyone. Your mail user agent detected something you didn't like, and instead of simply deleting it, went out of it's way to be annoying. I do not accept such mail. Yes, I know your mail environment automatically responded to it, but seriously, why inflict your curmudgeonly attitude on everyone else? Thankfully, I'm not quite as pedantic as all that, so I took the time to hand craft this missive, just for you! When I'm done, I'll think about coding myself an auto-responder that sends you something else, just like it, whenever you post. Because that's cool, right? - billn On Tue, 2 Jan 2007, Randy Bush wrote: > > you have sent a message to me which seems to contain a legal > warning on who can read it, or how it may be distributed, or > whether it may be archived, etc. > > i do not accept such email. my mail user agent detected a legal > notice when i was opening your mail, and automatically deleted it. > so do not expect further response. > > yes, i know your mail environment automatically added the legal > notice. well, my mail environment automatically detected it, > deleted it, and sent this message to you. so don't expect a lot > of sympathy. > > and if you choose to work for some enterprise clueless enough to > think that they can force this silliness on the world, use gmail, > hotmail, ... > > randy >
Re: Phishing and BGP Blackholing
The biggest challenge I can see is scrubbing phishing reports that aren't.. themselves.. maliciously crafted phishing attacks against a registry of such addresses. Likewise, since BGP isn't application aware, when you blackhole an address that's both website and mail server, how do you inform the end user about their problem, or get a notice from them that it's been fixed? This kind of solution has a huge trust factor hole in it. Distributing a BGP based blackhole list is trivial. The intelligence that goes into it is the hard part. There are companies that provide managed services like this (bgp blackhole route servers for known problem sites, like drone C&C's). (disclaimer: I do development for one.) - billn On Tue, 2 Jan 2007, Joy, Dylan wrote: > > Happy New Year all, > > I'm curious if anyone can answer whether there has been any traction > made relative to blocking egress traffic (via BGP) on US backbones which > is destined to IP addresses used for fraudulent purposes, such as > phishing sites. > > I'm sure there are several challenges to implementing this... > > Regards, > Dylan Joy > Network Security Analyst, BECU > > > > > NOTICE: This communication and any attachments may contain privileged or > otherwise confidential information. If you are not the intended recipient or > believe that you may have received this communication in error, please reply > to the sender indicating that fact and delete the copy you received without > printing, copying, retransmitting, disseminating, or otherwise using the > information. Thank you. >
RE: GBLX issues?
On Wed, 13 Dec 2006, Alex Rubenstein wrote: > > > this morning around <3> am, effecting <2> connections in that > > You mean 'affecting.' Pobody's nerfect. - billn
Re: GBLX issues?
On Wed, 13 Dec 2006, Aaron Glenn wrote: > On 12/13/06, J. Oquendo <[EMAIL PROTECTED]> wrote: > > > > Anyone seeing issues for GBLX around NY? > > > dude, chill. no need to yell. > you know, GBLX sells a lot of different stuff - are we talking IP > transit, MPLS transport, wavelength, voice? what kind of issues? how > is anyone going to know what you're talking about when you're as vague > as humanly possible. > You're awful at this game. When faced with a totally vague question, lacking context or useful information, it's up to you to supply your own. Start with, always: "Yes, is having problems in ." Then, tap your coworkers for assistance: 1: Name a hardware Vendor (the lower the stock value, the better) 2: Name a transport technology (frame relay, sonet, etc) 3: A number between 1 and 10. 4: A number between 8 and 32. 5: A seasonally relevent catastrophic event (snow storm, backhoe, exploding squirrel) Respond: "Yes, is having problems in . Seems <5> hit this morning around <3> am, effecting <2> connections in that location. is having problems getting backup systems online, because they were idiots and deployed <1> gear without failover. At last check, it'll be at least <4> hours before they get things sorted out." - billn
Re: Exotic meeting locations in North America
On Tue, 5 Dec 2006 [EMAIL PROTECTED] wrote:
> There really is no need for all NANOG meetings to have the same format.
> For instance, one full meeting, one regional meeting, and one
> special-focus meeting per year.
I'll truncate the rest of Michael's excellent post for the sake of
brevity, but say that this is one of the best ideas I've heard in a long,
long time. At once, it addresses both of the big issues that NANOG is
facing: scope creep, and irrelevancy. Though I'd assumed the best way of
dealing with the former would be trimming back to two meetings a year, I
like Michael's way better.
-Bill
Re: IP adresss management verification
On 11/13/06, chuck goolsbee <[EMAIL PROTECTED]> wrote: It pisses me off to no end when a sales guy comes to me with a request from a customer for a /20 for a half-rack of web servers. The justification ALWAYS comes down to this inane "search engine optimization" pipe dream. =\ No, no, it's absolutely true, and you can tell them so, and of course you can't provision the space without the customer filling out the ARIN paperwork to justify it and sending you a copy so you know what they're really trying to do. The one customer in 32768 who actually needs it will have enough clue to be able to fill out the forms, and the rest of them will spend a month trying to figure out why they' keep getting rejected. Meanwhile, get them some IPv6 address space, so they'll be cutting edge... once Google starts crawling the IPv6 web. [Sorry - I just get really annoyed when I'm trying to look for some topic for which the SEOs and phishers have polluted the web space with bogus material trying to drag traffic to their site by pretending to offer the real content.] Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Charter.net contact?
S. Ryan wrote: Any Charter.net mail admins around? I'd love to hear from one. Regards, Steve I got some contacts there that I had to use when there mail servers were not accepting mail. Hold on let me dig them up, I think they're on my laptop. I'll follow up with you in ~20 - 40 minutes. -Bill -- Bill Sehmel - [EMAIL PROTECTED] -- 1-206-242-2743 Systems Administrator, HopOne Internet Corp. SEA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.netASN 14361
Re: link between Sprint and Level3 Networks is down in Chicago
On Thu, 9 Nov 2006, Deepak Jain wrote: > > Does someone know if this is a *single* link down?? It seems bizarre to me > that there would only be a single link (geographically) between those two. > > Whatever happened to redundancy? > Accounting. ;) - billn
Re: rbnnetwork.org
Alexander Harrowell wrote: Is hosting a phishing site and bouncing abuse reports.. -- Forwarded message -- From: Alexander Harrowell <[EMAIL PROTECTED]> Date: Oct 31, 2006 2:38 PM Subject: Phisher To: [EMAIL PROTECTED] We're receiving large volumes of comments spam advertising a site hosted in your network. http://onlineinvestmentworld.com is located at 81.95.146.166, which is your netblock: inetnum:81.95.144.0 - 81.95.147.255 netname:RBNET descr: Russian Business Network admin-c:RBNR-ORG tech-c: RBNR-ORG mnt-by: RBN-MNT status: ASSIGNED PA country:RU remarks:INFRA-AW changed:[EMAIL PROTECTED] 20060 Alexander, Please contact our Abuse department at [EMAIL PROTECTED] with your complaint. Or online at http://abuse.hopone.net/ Thanks -Bill -- Bill Sehmel - [EMAIL PROTECTED] -- 1-206-242-2743 Systems Administrator, HopOne Internet Corp. SEA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.netASN 14361
ELI Issues in Seattle (Tukwila)?
Anyone else noticing ELI latency issues around the Seattle (Tukwila) area? Thanks Bill Sehmel -- Bill Sehmel - [EMAIL PROTECTED] -- 1-206-242-2743 Systems Administrator, HopOne Internet Corp. SEA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.net#
Re: Boeing's Connexion announcement
On Sun, 15 Oct 2006, Roland Dobbins wrote: > Not the new MacBooks and MacBook Pros - Apple changed the connector, and > so far have apparently refused to license it to third parties, nor have > they come out with an airline power adaptor of their own. While those are both true, neither negates my statement that Apple laptops (meaning all of them) can run from native EmPower voltage. No transformer is required, only a correct cable. http://www.woodynet.net/pics/index.php?currentDir=photos/2006/06.03-EmPower-MagSafe.Adapter Alec Peterson was reporting success with one of these, as well: http://www.mikegyver.com/ -Bill
Re: Boeing's Connexion announcement
> It's a pity that laptop makers don't either design their machines to > operate on a nominal 13.8 VDC or sell a relatively inexpensive and > commonly available 13.8-to-[whatever DC voltage the laptop uses on > whatever oddball connector they use that seems to be unique to that make > and model and likely serial number and unavailable anywhere]. Uh, Apple laptops plug into EmPower without transformers. -Bill
Re: Boeing's Connexion announcement
On Sun, 15 Oct 2006, Owen DeLong wrote: > This may be a nit, but, you will _NEVER_ see AC power at any, let alone > all of the seats. Wrong. It's standard on Air New Zealand, and it's been on Singapore Air seats I've had as well. -Bill
Re: Broadband ISPs taxed for "generating light energy"
> Sounds reasonable to me. Since the sale of energy is > usually measured in kilowatt-hours, how many kwh of > energy is transmitted across the average optical fibre > before it reaches the powereda mplifier in the destination > switch/router? Also, remember, it's _net_ energy delivered which matters... I'm sure the customer is delivering light back toward the ISP as well. -Bill
Re: AOL Lameness
On Mon, 2 Oct 2006, Bill Woodcock wrote:
> It is indeed happening, and appears to have started last night.
Dang, I really need to train myself to read _all_ of my email before
replying to _any_ of it.
-Bill
Re: AOL Non-Lameness
On Mon, 2 Oct 2006, Rick Kunkel wrote: > I had users that appeared to be getting their email blocked seemingly > because in their sigs, they write their phone number that stupid > IP-Address-Wannabe method, like: > 206.555.1212 > As an aside, is this something that's the norm in other places, like > commas instead of periods for decimals in other countries? I'd hate to > sound critical if it was. It just seems that I know a large amount of > very American people who have decided that phone numbers with periods in > them somehow look more "hip" than dashes. I despise that. I remember running across a standards document which defined it once... ITU, probably. Plus sign, country code, area code, number, space delimited. I don't have the energy to google (hi, verb-searching IP lawyers!) for it exhaustively, but here's one reference, third paragraph down: http://www.eeicommunications.com/eye/utw/96feb.html and here's another: http://en.wikipedia.org/wiki/E.164 -Bill
Re: AOL Lameness
On Mon, 2 Oct 2006, Steve Atkins wrote:
> That seems pretty unlikely (as it would break every email mentioning a
> virtual hosted website), and the URL you link to says nothing of
> the sort (it says "Don't use dotted-quads in URLs unless you want to
> look like Atriks, doofus.").
> Do you have some data suggesting that this is actually happening?
It is indeed happening, and appears to have started last night. And it's
not happening with very great accuracy. A valid mailto URL in a signature
file triggered it, for instance.
-Bill
Re: icmp rpf
Possible approach for small.net - ok, you know that big.net will drop any packets sourced from x.x.x.x if there's no route there (loose uRPF for downstream ISPs like small.net, strict uRPF for end-users.) So give them a route. Either give them a route on one of your direct interfaces to them, and then get rid of the packets by ACL or by null-routing it, or if that causes too much trouble, get yourself a 56kbps line from a spare router and advertise it from there.
Re: tech support being flooded due to IE 0day
Gadi Evron wrote: Hi guys, several ISP's are experiencing a flood of calls from customers who get failed installations of the recent IE 0day - VML - (vgx.dll). If you are getting such floods too, this is why. This is currently discussed on the botnets@ list, as raised by Cox, and I figured I will float it out here. No patch is currently available from Microsoft, workaround are available. Gadi. And this has to do with Network Operations in what way? -Bill -- Bill Sehmel - [EMAIL PROTECTED] -- 1-703-288-3081 Systems Administrator, HopOne Internet Corp. DCA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.netASN 14361
Re: Removal of my name
On Wed, 20 Sep 2006 [EMAIL PROTECTED] wrote: > something in HTML that i can not parse... > care to repost in a format that is readable? Bill, it's really time for you to upgrade from UCB Mail to Pine. Those of us who've gotten with the program and upgraded to 1990's software get all the nasty things stripped out automatically! -Bill
Re: IPv6 PI block is announced - update your filters 2620:0000::/23
Call me naive, but could somebody enlighten me as to what tangible benefit filtering out bogon space actually achieves? It strikes me that it causes more headaches than it solves. All packets arriving from bogon space have the "evil bit" set. There's nobody there you want to talk to, and there's nobody there that your users really want to talk to, even if they got the address from some "legitimate" source like the DNS server for examplebank.com. IPv6 bogons aren't likely to be spammers, because there's not enough critical mass there yet to make it worthwhile, but that just means that the greedy6 bit hasn't been implemented widely, and that'll eventually get fixed. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Data Center Wiring Standards
Rick Kunkel wrote: Heya folks, I hope this is on-topic. I read the charter, and it falls somewhere along the fuzzy border I think... Can anyone tell me the standard way to deal with patch panels, racks, and switches in a data center used for colocation? I've a sneaking suspicion that we're doing it in a fairly non-scalable way. (I am not responsible for the current method, and I think I'm glad to say that.) Strangely enough, I can find like NO resources on this. I've spent the better part of two hours looking. Right now, we have a rack filled with nothing but patch panels. We have some switches in another rack, and colocation customers scattered around other racks. When a new customer comes in, we run a long wire from their computer(s) and/or other device(s) to the patch panel. Then, from the appropriate block connectors on the back of the panel, we run another wire that terminates in a RJ-45 to plug into the switch. Sounds bonkers I think, doesn't it? My thoughts go like this: We put a patch panel in each rack. Each of these patch panels is permanently (more or less) wired to a patch panel in our main patch cabinet. So, essentially what you've got is a main patch cabinet with a patch panel that corresponds to a patch panel in each other cabinet. Making connection is cinchy and only requires 3-6 foot off-the-shelf cables. Does that sound more correct? I talked to someone else in the office here, and they believe that they've seen it done with a switch in each cabinet, although they couldn't remember is there was a patch panel as well. If you're running 802.1q trunks between a bunch of switches (no patch-panels needed), I can see that working too, I suppose. Any standards? Best practices? Suggestions? Resources, in the form of books, web pages, RFCs, or white papers? Thanks! Rick Kunkel Ideally from each core router would go to a two distribution-a switch (Cat 4900 or something similar), from both dist-a switch then go to two bigger distribution (dist-b) switches (cat 6500 etc) Then from each 6500 go to there own patch panels. Then from the two patch panels run a cables to access level (2900's etc) switches in each rack / shelf. This way you have full redundancy in each shelf for your co-located / dedicated customers. My .02 cents -Bill Sehmel -- Bill Sehmel - [EMAIL PROTECTED] -- 1-703-288-3081 Systems Administrator, HopOne Internet Corp. DCA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.netASN 14361
Re: [routing-wg]BGP Update Report
On Fri, 8 Sep 2006, Hank Nussbacher wrote:
> Strike me as curious, but this seems as if Connexion by Boeing is handing
> off a /24 from ASN to ASN as a certain plane moves over certain geographic
> areas.
Yes, that was their architecture, originally. My understanding was that
they'd subsequently moved to a more complicated system of NATing, but my
understanding may be incorrect, or they may not have done so entirely.
-Bill
Re: comast email issues, who else has them?
On 9/6/06, Stephen Sprunk <[EMAIL PROTECTED]> wrote: Telling half my family members they have to go get Gmail so they can email the other half of my family members is ridiculous. Too bad Comcast has a monopoly (or, where a duopoly, the competition is just as incompetent) so they have no incentive to fix it. I'm tired of this duopoly fiction. Cable modem providers are usually de facto monopolies, though some of them may use PPPoE or other methods of supporting wholesale service, but DSL is only a monopoly at the copper layer, not at the DSLAM layer in more than half of the US or at the IP layer in almost all of the US. Beyond that, there are a number of service providers that will accept VPN tunnels of various sorts so you can get service access independent of your ISP's policies. That doesn't mean, of course, that it isn't too much hassle for your relatives to want to do that just to avoid the limitations of Comcast, but they've got lots of options if they want them.
Re: Panama NAP/PNAP
On Mon, 31 Jul 2006, Paul English wrote:
> Can someone tell me where the Panama NAP/PNAP is located?
Wrong list.
http://lacnic.net/mailman/listinfo/napla
-Bill
RE: www.gigablast.com
> What gigablast seems to be doing, on the other hand, is trying to open
> every window in a house in the hopes that it will find one that's open.
Just looking at the text strings in the URLs, my off-the-top-of-my-head
guess was that those were URLs it saw in email spam. They looked very
similar to a lot of the ascii-garbage that gets generated by spammers
trying to get through bayesian filters. It seemed plausible to me (not a
good idea, of course, but the sort of thing that happens) that they might
have been grepping web pages for URLs, and run across an archive of spam.
-Bill
Re: Anyone at HopOne Internet?
[EMAIL PROTECTED] wrote: Hey guys, Just wondering if anyone on here works at HopOne's Network Eng. dep/Noc... let me know off list... Thanks, -Payam Hey, Whats up? -Bill -- Bill Sehmel - [EMAIL PROTECTED] -- 1-206-242-2743 Systems Administrator, HopOne Internet Corp. SEA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.net
RE: insane over-regulation - what not to do
On Wed, 21 Jun 2006, Randy Whitney wrote:
> Could you be more specific? Are you talking about "Part VIII
> DOMAIN NAME REGISTAR" or something else?
Not presuming to answer for Randy, just for myself:
This follows one of the typical failure-modes of technical legislation,
which is that it contains quite a few good ideas (cryptographic signatures
should be deemed to fulfill the role of signatures, nonrepudiatable
electronic delivery should be deemed to constitute delivery, etc.) which
are re-worded in less-specific "more accessible" language by lawyers,
chopped into very small bits, mixed and blended until uniformly
unrecognizable, and allowed to ferment until twelve times larger.
These things typically create a bit of a baby-with-the-bathwater conundrum
for people who think they know what _should_ be done, since many of the
things that _should_ be done are in fact buried in the legalese, and
starting over from scratch with the same seeds would, like as not, yield
a very similar bloated bloated end-product, with another year or two
wasted in the mean-time. Which all comes down to the old maxim: you can't
legislate stupidity out of existence. Or, perhaps, legislation, by its
very existence, brings some stupidity into existence.
Less is more.
-Bill
Re: Interesting new spam technique - getting a lot more popular.
And let me tell you.. inheriting a network like that, knowing a better way to do it, will make you want to put a gun in your mouth. Two /19's worth of address space in VLAN1 (not just in one vlan, but in vlan *1*. Cisco nerds are slapping foreheads or spitting Coke right now.) Trying to migrate customers to their own vlan when they've been alloted IPs, willy nilly, across one of the bajillion /24's secondaried on the vlan interface drives me into an entire new dimension of pissed off. Don't even get me started on allocation and traffic accounting. - billn On Wed, 14 Jun 2006, Richard A Steenbergen wrote: On Wed, Jun 14, 2006 at 07:03:10PM -0400, Matt Buford wrote: As a hoster with many customers on large shared VLANs perhaps I can add a bit... Note that if you're reading this list, you have already identified yourself as a non-typical hoster. Go read WHT or GFY for 10 minutes for an example of typical hosters, and if you're not a drooling idiot in need of a brain transplant afterwards consider yourself lucky. :) And don't forget, there are hundreds of hosting networks like the ones I described, a lot of whom are in the 1 - 30Gbps traffic range, with absolutely no clue how to do better. -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
RE: wrt joao damas' DLV talk on wednesday
On Mon, 12 Jun 2006, Buhrmaster, Gary wrote:
> I suggest that the
> program committee members take this on as "todo" to formulate
> some sort of acceptable practice for future NANOG meetings.
Taking the liberty of speaking for the rest of the PC, I've heard your
suggestion, and will bring it up at our next meeting.
-Bill
Charter Contact
Could a charter.net administrator please contact me off list. Thanks Bill Sehmel -- Bill Sehmel - [EMAIL PROTECTED] -- 1-206-242-2743 Systems Administrator, HopOne Internet Corp. SEA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.net
Re: Fwd: 41/8 announcement
On Fri, 26 May 2006, william(at)elan.net wrote: > The only way I see to achieve this is to have dns resolver > on the fly convert remote addresses from same network into some other > network and then NAT from those other addresses. Split-horizon DNS, external to the clients, but basically, yes. Like I said, horrifically gross. -Bill
Re: Fwd: 41/8 announcement
On Fri, 26 May 2006, Mikisa Richard wrote:
> Can't be sure what they did, but I received an e-mail asking me to check
> on my connectivity to them and well, it worked.
Presumably they're double-natting. I had to do that once for Y2K
compliance for three large governmental networks that were all statically
addressed in net-10 and wouldn't/couldn't renumber in time. In fact,
there were _specific hosts_ which had the same IP address, and _had to
talk to each other_. Gross. But it can be done.
-Bill
Re: Geo location to IP mapping
On Mon, 15 May 2006, Roland Perry wrote:
> > http://www.hostip.info/use.html, which looks good, at least from a
> > API/ ease of use prespective.
>
> I just tried that, says I'm 100 miles south of where I really am. That's
> quite a long way out in a small country like England.
1.3ms is longer in small countries like England?
-Bill
Re: Geo location to IP mapping
Google's available geolocation resources are much more direct: They can get the information directly from the user. Google mail users setting location information, google home page users setting weatherbug details, common location searches in google maps, or local business directory searches. Taken in connection with neighboring IPs, you can generate the correlations statistically, even going so far as being able to make a good guess at a dialup IP versus an 'always on' connection. This would be the same for MSN, Yahoo search, or any portal based search engine. Forget relying on a thousand different companies hopefully keeping accurate records, *if any* about what IP where. The user is, for once, a much better source of information. - billn On Mon, 15 May 2006, Kevin Day wrote: We use a Geo/IP location database. It's surprisingly accurate, with a few exceptions. The company we purchased the database from uses a number of sources of data, to produce something pretty accurate: 1) WHOIS records for the IP assignment 2) WHOIS records for domain in the PTR record for the IP 3) Parsing the PTR record for city names and airport codes 4) Purchasing IP/billing and shipping city,state,zip records from sites with accurate records (e-commerce and other sites that people need to enter their local info) 5) All of the above for the hop or two before the end in a traceroute 6) BGP and traceroute comparisons to determine where the boundaries are in how you've internally routed things Even if you're just allocating from a single /20, you probably have some hierarchy, and that can be picked up through routing or DNS or SWIP. Comparing the database to the IP that our customers used to make purchases we exceed 95% accuracy in identifying the country, and 75-85% in city/state. The big exception is AOL, since their IP assignments are pretty well randomized with respect to geography. Never underestimate what can be done through regular expressions and an army of people sitting at terminals in China to verify what can't be automated. :) For those of you really interested, email me privately and i'll dump what we have on record for a block or two of yours.
Re: Geo location to IP mapping
It works for spammers. - billn On Mon, 15 May 2006, Brian Wallingford wrote: I'm not quite comfortable with the idea of building a market audience based on data with at best dubious accuracy. On Mon, 15 May 2006, Martin Hannigan wrote: :At 12:49 PM 5/15/2006, Brian Wallingford wrote: : :> scam_snake_oil_etc : : :How so?
Re: MEDIA: ICANN rejects .xxx domain
On 5/11/06, Robert Bonomi <[EMAIL PROTECTED]> wrote: > If we can coral them in it and legislate to have no porn anywhere > else than on .xxx ... should fix the issue for the prudes out there. And _that_ is *precisely* "why not". There have been at least three generations of proposals for .xxx 1 - In the early days, before ICANN's coup, while there was still active discussion about how to manage the DNS, there were proposals to create .sex and/or .xxx to sell to porn sites, and some of the alt-root types succeeded in making some money doing so. 2 - A few years ago, some US prudes proposed creating a .xxx to exile all the porn sites too, and at some point proposals were made to ICANN to create it. 3 - Shortly thereafter, other US prudes who weren't in the loop heard that there was a proposal to have *pornography* on the *internet*, and got upset and tried to ban .xxx. Tree-structured hierarchies are so much fun - there's inherently the potential for a power struggle for ownership of the root, and it's quite easy for the tree to absorb competitors or be absorbed by competitors (e.g. foo.altrootgang1.altroots.net. or microsoft.com.icannroot. both work, though the former annoys fewer people.) And Peter says he's working with Joe Baptista, so he doesn't need Jim Fleming to make his net.troll quota for the month :-) (Joe may be a troll, but he's done some *really* impressive trolling, particularly involving fax machines and the Canadian government.) -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: BGP data needed
On Tue, 2 May 2006, Ricardo V. Oliveira wrote:
> I was wondering where I can find recent BGP data in the form of BGP
> updates+RIBs besides RouteViews and RIPE?
We don't save updates, but if you want RIBs, we've got them back to 1997.
Recent years are online at:
http://www.pch.net/resources/data/routing-tables/archive/
-Bill
Re: Determine difference between 2 BGP feeds
On Tue, 18 Apr 2006, David Andersen wrote: Much of what Bill described below is already present using Nick Feamster's bgptools release: http://nms.lcs.mit.edu/software/bgp/bgptools/ Start with zebra / quagga / etc., which do a great job of dumping tables and updates. Then use bgptools to take the MRT-formatted dumps that Zebra spits out and turn them into text, etc. With the '-q' option, can insert the BGP updates or table snapshot directly into a SQL database. My peer actually comes from a Zebra box, so I'm not talking directly to any production devices, in the event that I want to bounce my db feed up and down (debugging, featuritis treatments, etc) Z/Q + bgptools is a great suggestion for doing complex reporting/comparison on the routing tables, though. I've got a need for a more real-time view, so my setup fits me a little better than your suggestion, but potato/potatoe. =) then the libbgpdump.a library gives you lots of cool things on top of that. You'd have to do a little work to get the analysis tool you want, but it's pretty easy. Use the 'buildtree' starting program to build the prefix tree from each provider and then compare those two trees (see which prefixes are present/not present, see if any parts of the IP space are unreachable in in one and unreachable in the other, etc.) This is pretty interesting, I'll have to tinker with it, especially since I know one of my providers doesn't give me a full routing table. It starts as Bill suggested - a read-only BGP peer from the devices, which takes about 3 seconds to set up. And for folks to whom this is new stuff: don't be an idiot, put Zebra/Quagga up as a peer/buffer for attaching analysis tools to your network. *Never* attach development grade tools to a production device, most especially when you're dealing with a routing table. Not that I've ever taken down a live router in this manner[1], I'm just saying.. ;) - billn [1] All smirking current/past coworkers are kindly invited to stfu. =)
