Re: Dell power connect switches.
On Thu, 20 May 2004, Joel Perez wrote: > We are planning to deploy several Dell PowerConnect 3324, 3348 and 6024 > switches on our network. I don't know how related they are (if at all), but we were suckered into buying several Dell PowerConnect 3248's some time ago. We have a serious issue with them in that the telnet CLI tends to cease properly accepting connections after a while...making them effectively dumb unmanaged L2 switches. If anyone's aware of a fix for this (other than serial consoles), I'd love to hear it. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Barracuda Networks Spam Firewall
On Mon, 17 May 2004, Jared B. Reimer wrote: > >We had this problem when our inbound-smtp server ( the server the > >barracuda is dumping mail to) was accepting all RCPT TOs: As a result > >dictionary attacks were getting through and creating 'unique recipients' > >on the Barracuda. As soon as I fixed my mail server to reject with a 220 > >error on bogus RCPT TOs the problem cleared up. > > This is a pretty serious flaw IMHO, if it is (in fact) true. qmail isn't > the only mailer that behaves this way. It looks like they may have tried > to kludge their way around this with LDAP in the case of MS Exchange, which > also does asynchronous bouncing of undeliverable mail IIRC. The fault here is with qmail. The barracuda was doing exactly what it was designed to do. qmail can be patched to be smarter (google for qmail spamcontrol or magic smtpd). Accept all, then try to bounce, is a recipe for disaster with today's dictionary attackers and virii that will send to randomly created destinations from randomly created forged froms. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: route-views.oregon-ix.net
On Mon, 10 May 2004, Peter Rohrman wrote: > Is route-views.oregon-ix.net down? I cant get to it. I noticed the same thing earlier today and intermittently last week. I still can't get to it (telnet or ping). Traceroute ends with: 11 unknown.Level3.net (63.211.200.246) 77.438 ms 87.132 ms 82.573 ms 12 ptck-core2-gw.nero.net (207.98.64.138) 77.529 ms 78.278 ms 79.683 ms 13 eugn-core2-gw.nero.net (207.98.64.1) 81.284 ms 80.455 ms 80.721 ms 14 * * * -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: "Network Card Theft Causes Internet Outage"
On Tue, 4 May 2004, Andy Dills wrote: > http://www.eweek.com/article2/0,1759,1583347,00.asp > > "Law enforcement officials said four DS-3 cards were reported missing from > a Manhattan co-location facility owned by Verizon Communications Inc. The > theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is Is this part really surprising to anyone who's got gear in unsupervised LEC colos where everyone is in open relay racks in a large open space? > being investigated by New York City Police and members of the joint > terrorism task force, according to NYPD spokesman Lt. Brian Burke. " This seems a bit over the top. A couple years ago when we had a part stolen out of one of our routers in a WCOM colo facility, we couldn't get the local PD to do jack. A report was filed...but I think they filed it in the circular file, because nobody ever investigated, despite the fact that WCOM had just installed a card reader system to replace the simplex door locks, so in theory, they knew who was in the room when our stuff was stolen, but they refused to release the info to us. I guess we should have suggested it was an act of terrorism. > Trying to fix our terrorism problem like this is like trying to fix the > spam problem using IP-based blacklists. No...I'd say it's more like fighting the spam problem with nuclear weapons...now there's an idea. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?
On Mon, 26 Apr 2004, Rodney Dunn wrote: > That's the most common deployment mistake I > see made with the 75xx nowadays. People want > to move to dCEF to get added feature capability > or either run a new feature that requires dCEF and they > don't consider the extra load on the VIP CPU's that > is required. Does dCEF use much more CPU on the VIPs or just memory (to store the fowarwarding table on the VIP)? My experience has been that a 7500 with RSP4's and VIP2-50's (with dCEF) will handle much more packet forwarding than a 7206VXR NPE300...but with full BGP routes, you need at least 64mb (preferably 128mb) on the VIPs or you can't use dCEF. Not using dCEF largely defeats the purpose of using a 7500, doesn't it? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?
On Mon, 26 Apr 2004, Michel Py wrote: > > > "Alexander Hagen" > > What about a 7505 w/ RSP4/256 and 2 VIP 2-50/128s with 4 PA-FE-TXs. > > I would get a 7507 w/redundant RSPs and redundant PS. You'd get a 7507 (only if it were a choice between that or a 7505?), but then at the end of your message, you say you wouldn't buy any 7500? > >> What is better about the 7206 VXR ? > > Fewer software bugs, > > Not in my experience. A couple 'advantages' to the 7206 are much smaller size & mass. The 7206 is single person portable. The 7507 and 7513 are very much larger and much more massive. You'll never see someone running down the street away from your data center with a 7507 under their arm. > The part I missed earlier is that I think Alexander needs to buy the > platform. As of today I can not recommend buying any 7500 as even the > 7507 and the 7513 are going to EOL sooner or later. If you can't afford > a 7603, then the 7206VXR with NPE400G and a gigabit trunk to a 3550 is > what I would do. A basic 7507 (dual PS, dual RSP4, couple of VIPs and PAs) is so cheap today, if he's strapped for cash, that's what I'd go for. I'm guessing you can still get at least several years out of such a box, and by the time you've outgrown it or cisco stops making IOS for it (they still make IOS for AS5200's!), hopefully you'll have the cashflow to upgrade. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Anyone from AT&T here? (AT&T bogus DNSBL answers)
Steve Linford wrote: > AT&T customers have contacted us saying they can't reach any of our > DNSBLs, seems AT&T have defined a fake sbl.spamhaus.org zone in their > DNS servers so when AT&T customers ask AT&T's NS 12.149.189.2 for > sbl.spamhaus.org they get: > ... I was looking at this some more last night, and noticed this appears to have been some kind of mistaken identity issue. Check the whois and PTR for 12.149.189.2. It certainly doesn't appear to be an AT&T maintained DNS server. If there really are/were AT&T customers who couldn't resolve the various popular DNSBLs, I wonder, was the issue caused by something else? Are they setup to query the wrong DNS servers...perhaps 12.149.189.2 used to be an AT&T DNS server before 2001-09-05, but since then, it's been an AT&T customer's machine. Maybe that customer is getting hammered with queries from old AT&T customers and is trying to encourage them to go elsewhere for DNS service. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: SORBS Insanity
On Thu, 15 Apr 2004, Joe Maimon wrote: > Speaking about whitelistingcomp.mail.sendmail google > link...Reproduced below.. > > http://groups.google.com/groups?q=sendmail+whitelist+dns&hl=en&lr=&ie=UTF-8&oe=UTF-8&c2coff=1&selm=ac4e9990.0311250514.65c4e614%40posting.google.com&rnum=9 ok...you've now drifted way off-topic for NANOG IMO. This belongs in spam-tools or spam-l. > I was wondering if any of you use *dns* lists for whitelisting purposes. Yes...for several years. > I have found a couple of whitelists online (bondedsenders) and their > m4 was far from satisfactory. Why? I came up with essentially the same rules (modified dnsbl.m4 to support DNSWLs) as them back in 2001 and have been using it ever since at multiple sites with privately maintained DNSWLs. For that usage, it works fine. If you want to use it with someone else's DNSWL and they have different 127.x.y.z return codes for different whitelisting reasons, sure, it's too primitive, and you'll likely need to modify enhdnsbl.m4 to make your own enhdnswl.m4, or do something similar. Why the sendmail folks have chosen to support DNSBLs but not DNSWLs, is still a mystery to me...but this has little to do with network operations. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: SORBS Insanity
On Wed, 14 Apr 2004, Jeremy Kister wrote: > telling them they were mistaken. Finding no documentation on how they > deem networks "dynamic" or "static" I changed my rDNS scheme from > ppp-64-115-x-x to 64-115-x-x Note to all: "ppp" in no way signifies > dial-up; we run ppp over almost every circuit we have -- from dialup to > OC12, to Ethernet and ATM. I think you'll find it's pretty commonly assumed (not just by certain DNSBLs) that "script generated" DNS is dynamic. Prepending it with ppp- makes the assumption seem to be even more of a slam dunk. Just to pick an example, dummy-smtpd assumes that any host that matches /\d{1,3}.\d{1,3}.\d{1,3}/ is "dynamic host with with script-generated rDNS name". I think the feeling is, "if you care enough about the system that it should be a legitimate mail server, it ought to have 'unique' rDNS." rDNS matching what it HELO's as is nice too. > I also stated how all of our network was scanned twice a day for open-relay > mail servers. Being a bigish ISP, we are _huge_ on our abuse policies, and > our abuse bucket [usually] has only memories of tumbleweed blowing by. Irrelevant. Unless you're doing full port scans, you're not going to find the open proxies. Open relays are old school for spamming. Open and stealth proxies are the current methods. Are you looking for HTTP Connect proxies on 65506, 6588, 48669, etc.? How about the socks5 proxy on 64.115.63.248:35762, which BTW is static-64-115-63-248.isp.broadviewnet.net. > 2. that to prevent further hysteria, I had changed the reverse dns from > ppp-64-115-x-x to static-64-115-x-x and dynamic-64-115-x-x, > respectively. That's better than the original. Would you really expect people in today's spam overrun climate to accept email from a system identified as ppp-64-115-x-x.isp.broadviewnet.net? I don't know about you, but that just screams dialup to me. 64-115-x-x.isp.broadviewnet.net isn't much better. > 3. their blindness was very unprofessional, deeming SORBS a Worthless > Project ran by Ignorant Half-Wits Your thinking that won't change the minds of thousands of systems blocking millions of spams with their list. > As of this date I have not received a response from anyone at sorbs, and do > not expect one. Our support crew is overwhelmed with upset customers who > cant send email to their associates. Our only response to them is that we > have tried to resolve the issue, but could not, and that the remote ISP > should stop using sorbs. Did it occur to you to setup reverse DNS to match forward DNS? Are these customers running DNS that says "our MX records are 64-115-x-x.isp.broadviewnet.net and 64-115-x-y.isp.broadviewnet.net"? I really doubt it. Having them smarthost their mail through your server (it's not 64-115-x-x.isp.broadviewnet.net too, is it?) would also be a no-brainer immediate solution until you can work things out with SORBS. ------ Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Lazy network operators
On Sat, 10 Apr 2004, Chris Boyd wrote: > Please note that we no longer accept any network abuse reports at this > address. Any reports must be submitted by using the following web form: > http://www.ntlworld.com/netreport > > Any reports sent to this email address will not be read and will be > automatically deleted. I can guess their reasoning for this is they're tired of bogus complaints (from address on spam/virus was forged to look like it came from them) or complaints lacking the necessary detail to take any action...but the way they've implemented their forms is not going to win them any fans. You have to click through multiple layers of forms before you can actually put in any details. None of the reason options are SPAM. And on my first try, their site caused Mozilla to crash. Also, I doubt this was a decision made by the "network operators", but rather by the abuse department or more likely, whoever oversees it, perhaps figuring that by having the web form CGI neatly categorize all complaints, they can get by with less staff (or clue) handling abuse. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: MLPPP Follow Up - How we fixed the problem
On Thu, 1 Apr 2004, Paul Stewart wrote: > Any issues with more than 2 connections? We have a customer that we are > doing this for right now with two T1's.. Customer wants a third one > possibly.. Can't see a problem but thought I'd ask... > > How many could you theoretically do if you really had to? ;) AFAIK, depending on IOS version, the max-paths you can load balance with CEF is 6 or 8. i.e. In some older versions, it is 6, and I've had to do upgrades to get 8 T1's to load share. Most instances of this that I've done have been on our own network where we use OSPF on the T1's and set maximum-paths in router ospf. I have seen/done 4xT1 service load balanced to customers using static routes. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: MLPPP Follow Up - How we fixed the problem
On Wed, 31 Mar 2004, Mark E. Mallett wrote: > > ip route X.X.X.X 255.255.255.252 Serial1/0/0/13:0 > > ip route X.X.X.X 255.255.255.252 Serial2/1/0/14:0 > > > > > > The only problem that we ran into was that we had to use the Serial designator > > of the interface in our route statement otherwise it will not work (or > > at least it did not for us). > > FWIW I have also observed that it is necessary to specify the > interface when doing per-packet load balancing across multiple PVCs, > e.g. as when doing load balancing across multiple DSL circuits. I I've done lots of this (with clear T1's, no frame or DSL), and never run into that issue on 3640, 7206, 7500 series routers. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: DSL and/or Routing Problems
On Tue, 30 Mar 2004, Stewart, William C (Bill), RTSLS wrote: > > ping did _this_ > Ping is not very informative or accurate. > If you run a traceroute, which is also not very accurate, Get the best of both tools and use mtr (assuming unix-like platform). There are similar tools for windows (pingplotter?). This thread reminds me of my own DSL, which rides the ILEC's network and is handed off to $work at the CO as an ATM PVC. For years, my DSL service has osciliated from fine (20-30ms ping times) to not good (200-300ms) to unusable (>=1000ms ping times). It seems to work fine for months, then get bad to really bad for days or weeks at a time. I've replaced CPE several times, and even keep 2 totally different brand/model routers at the house, just in case (so when I call the DSG, I can say "yes, not only have I power cycled it, I've replaced the router"). I've spent considerable time on the phone with the ILEC. Most calls, they claim there's nothing wrong. A few times, they've admitted it's a known problem with the "lt card", not that that means much to me, and resetting it often makes things better. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Broadwing opinions
On Wed, 24 Mar 2004, Steve Francis wrote: > Anyone care to share opinions on broadwing as an upstream? > Responsiveness/cluefulness of noc and how well they manage their > infrastructure (in terms of good change management, etc.) would be good > to know. With or without your own PI (or some other provider's PA) IPs? It's getting to the point where it's not possible to use any large provider's PA space and not be affected by one of several DNSBLs that use "collateral damage" as a motivator for change...not that it seems to work terribly well against the largest providers. http://www.spamhaus.org/SBL/listings.lasso?isp=broadwing.com The system this message is being sent from uses broadwing.com as one of 4 transit providers and has recently run into issues sending email to sites using either spews or fiveten as each of the (different providers) PA IP blocks in use are listed in one or both of these DNSBLs as well as additional less known DNSBLs. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Personal Co-location Registry
On Thu, 18 Mar 2004, Mr. James W. Laferriere wrote: > Tyan (& another I can't remember now) have console forwarding to > the com1 port . This MB is available in PenguinComputing's 1u & > 2u systems . They run *BSD just fine as well . Hth , JimL Many of Intel's server boards support this (or at least did as of several years ago). I had some issues getting Linux to play nice with that feature turned on. I never had one of them sitting around long to figure out the issues before putting them in service (with console redirection turned off). This was the T440BX/NL440BX board, which is kind of dated now. If you have some old Cacheflow boxes sitting around, they probably have this board in them. I don't know if they've done anything to them that would cause problems using it in something other than the cacheflow. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Packet Kiddies Invade NANOG
On Tue, 16 Mar 2004, Alexei Roudnev wrote: > Hmm, if someone (except masochists and security vendiors) still hosts > efnet... I can only send them my condoleences. > > I saw sthe same dialogs 6 years ago. Nothing changes. What about undernet? A customer wants us to help him setup an undernet IRC server. My gut feeling is, hosting IRC servers (especially on the well known networks) is like wearing a "kick me/flood me" sign on your network, and it's probably not going to be worth the pain & pages. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: > Maybe NANOG needs to implement a system where you have to log > in to a web page with your NANOG meeting passcode in order to > get a usable IP address. Then, when an infected computer shows > up we will know exactly whose it was. Might even be interesting > for a researcher to interview every infected party and figure > out why it is happening even among a supposedly clueful group. I find it ironic that one of the presentations at the last nanog was about a system kind of like that: http://www.nanog.org/mtg-0402/gauthier.html and that we had some luser on the nanog30 wireless network infected by SQL slammer. Does anyone know who that was, how/if they were located and removed from the network, and whether they brought an infected PC (either via stupidity or as a joke) or simply brought an unpatched system out from behind their firewall/packet filters and got infected before they got a chance to actually use the network? After that incident, I sniffed the wireless for a little while and noticed slammer is alive and well out on the internet and still trying to infect the rest of the internet. We're still blocking it at our transit borders. The one time it was removed (accidentally), a colo customer was infected very shortly after the filter's protection was lost. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Christopher L. Morrow wrote: > There are several blacklists that clearly want more from the ISP than an > explanation that the offendors are being/were removed... one good example > is 'spews'. What do you think spews wants? My experience with them has been that that's pretty much the only thing that will satisfy them. I have had customer IPs in spews, and got them removed. "I've" also been collateral damage (at a consulting client's site), which sucks, but that's the stick spews wields. In most cases, that's encouragement enough for a provider to clean up their network or keep it from becoming a mess. Sometimes it's not. > As was pointed out to me by a co-worker: "Linux is not anymore inherently > secure than anyother OS." The difference really comes in the > administration of the pee cee. So, would upgrading joe-random-user to > Linux really make things better for them? (or us?) That is not clear at > all at this point. That's an argument for another list...but the short answer is no, giving JRU who knows nothing about Linux a default install, especially a popular one, say Red Hat, is not much, if any, better. They won't maintain it. It will be hacked. At least it probably won't be done with and then participate in email viruses. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Bohdan Tashchuk wrote: > Question: Why can't a provider sell virtual PC colocation, instead of > physical PC colocation? Several do. We nearly bought a failing one that was doing alot of this with a commercial Linux virtualization product. > So instead of 40 physical machines per rack, why can't it be 80 or 160 > or even more virtual machines, running on 40 physical Linux boxes? I > think the economics could shift significantly under those circumstances. During the short time we managed their network and systems, I had to poke around on a couple of the virtual machines to fix customer issues. I don't remember how many virtual machines they ran per physical machine, but IIRC, they were all P4's with several GB of RAM. Each customer got root and their own IPs on what appeared to them to be a dedicated server. IIRC, Paul was suggesting part of the value in the $50/month colo deal was that customers were motivated to be good else you keep their server or ebay it. You lose that with the virtual private server model...but does anyone actually have in their contract/AUP that AUP violators will forfeit their hardware? We've kicked some spammer colo customers where I'd love to have had such a clause. I only know of one case where we did that...and it was for non-payment. The customer's hardware was worth less than their balance, so they chose to simply write us off. Being located in another country, it wasn't worth the effort to try extracting $ from them. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: who offers cheap (personal) 1U colo?
On Sat, 13 Mar 2004, Michel Py wrote: > > $50 is a lot of money; I currently send email from my aDSL address > because a) my ISP's smarthost sucks b) historically their SMTP hosts > have been blacklisted more than mine c) even if they did not suck (which > has improved a lot recently, actually) they still won't accept large > attachments or mailing-list traffic. > I pay $36/mo for my aDSL. $50 _more_ sounds a lot. > I checked with our hosting dept. and we won't sell 1U traffic policed colo quite that cheap. Close to it, but not $50/month. And I agree, for most people spending an extra $50/month just to be able to send email (though I imagine they'd also do some personal web hosting and maybe other things as long as the machine was there), not to mention the expense of buying a 1U server and having to maintain it remotely isn't going to fly. You'd have to be a pretty hard core netgeek and have the disposible income ($600/year + the server...I can think of lots of better ways to spend that) to consider that a good solution...at which point why not just pay a bit extra to your ISP (or another ISP) and get a static IP with reverse DNS, which I would think would get you excluded from most reasonable DNSBLs. For most people it'd probably make much more sense to find a provider that offers some form of SMTP relay service. It'd probably be cheaper/month, and they wouldn't have the trouble and expense of providing/maintaining a colo server. > Besides, although this list is definitely the right place to find people > that would operate a personal SMTP relay in a colo just by the virtue > that it's the geeky thing to do, what does it change in the big scheme I'd imagine you could even find a few friends and share the cost/utility of the server such that it only cost each person a few dollars/month...but then someone's got to pay the bills, collect money, harass the people who don't pay their share, etc. > of things? All these small business customers (20 persons) that I have > that use a sub-$100 "business" DSL and M$ Small Business Server + > Exchange are not going to go for it, because the cost then will suddenly > become $50 plus the 1U server plus my time plus maintaining it. What if the cost were only $10/month and they didn't have to maintain anything other than a set of usernames/passwds (SMTP Auth) or perhaps a list of their own IPs (relaying based on IP)? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Proposal: De-boganising New Address Blocks
On Tue, 24 Feb 2004, Michel Py wrote: > Good idea, no contest. Now, the devil's advocate asks: what makes you > think that operators/ISPs are going to react faster to your pilot stuff > being bogonized than they would to real traffic being bogonized, as if > it's a pilot project it's by definition not urgent and can wait > tomorrow? > > Although I salute the effort, I am concerned that this will not change > current reactive behavior which is to wait for the shit to hit the fan > to update bogon lists. Might sound sad, but I think the way to Assuming the pilot program does some form of reachability testing and then some effort is made to notify those with bad filters (good luck), then at least this notifies them before it's a real inconvenience for anyone. They may or may not choose to react, but at least this puts them on notice that they have a problem that will be real in the near future. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Anti-spam System Idea
On Sun, 15 Feb 2004 [EMAIL PROTECTED] wrote: > If we advertise the DHCP pools for AS1312 in a DUL, we solve the problem for > those sites that use the DUL we list them in. > > If we block outbound port 25 SYN packets from origin addresses in the DHCP > address blocks, we solve the problem for everybody. No...you just speed up the migration (which has already begun) to spam proxies that use the local ISP's mail servers as smart hosts. Then you have to come up with a way to rate-limit customer outbound SMTP traffic. BTW...who brought SARS (or more likely just flu) to nanog30? I drove (so I didn't catch it on the plane) and symptoms (sore throat, congestion, very high fever) started thursday. I've spent most of the weekend in bed waiting to die. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Anti-spam System Idea
On Sat, 14 Feb 2004, Tim Thorpe wrote: > If these exist then why are we still having problems? Because the spammers are creating proxies faster than any of the anti-spam people can find them. Evidence suggests, at least on the order of 10,000 new spam proxies are created and used every day by spackers (spammer/hackers). The relative insecurity of windows and ignorance of the average internet user has created an incredibly target rich environment for the spackers. > Why do we let customers who have been infected flood the networks with > traffic as they do? Should they not also be responsible for the security > of their computers? Do we not do enough to educate? Economics, and convenience outweighing security. We're big, and slow to change. They're small and mobile. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Anti-spam System Idea
On Sat, 14 Feb 2004, Tim Thorpe wrote: > 95% of spam comes through relays and its headers are forged tracking an > E-mail back that you've received is becoming next to impossible, its also > very time consuming and why waste your time on scumbags? s/relays/proxies/ The proxies are tough to find since they can run on any port. Some of them even pick random ports, then "phone home" to tell the spammer which IP/port was just created as one of their open proxies. > my idea; > a DC network that actively scans for active relays and tests them, it > compiles a list on a daily basis of compromised IP addresses (or even > addresses that are willingly allowing the relay) making this list freely > available to ISPs via a secure and tracked site. You're a few years late. See http://dsbl.org. For a non-DC version, see http://njabl.org. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: SMTP relaying policies for Commercial ISP customers...?
On Fri, 13 Feb 2004, Leo Vegoda wrote: > > Yes, that is a little bit stickier of an issue, IFF your goal is to > > somehow continue to provide the would-be spammer with the ability to send > > traffic to the net, provided it doesn't transit your mail server. I feel > > that you're overlooking the simple solution. Blocking the entire account > > so they can't access anything is the proper response to a spamming > > incident. > > If you block the entire account then the user can't use the account > to download the updates your Abuse Team will responsibly want to > point him/her at. If you want to lose the customer then that's your > business. If you want to keep the customer, helping them fix their > mistakes is probably a painful and thankless task - but important > and useful to the whole Internet community. What about http://www.nanog.org/mtg-0402/gauthier.html After seeing that presentation, I wondered if an ISP could get away with something similar. Eric has the advantage of being the monopoly service provider for the dorms. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Interesting BIND error
On Thu, 12 Feb 2004, Chris Adams wrote: > Once upon a time, Brian Wallingford <[EMAIL PROTECTED]> said: > > We've been seeing the following on all of our (9.2.1) authoritative > > nameservers since approximately 10am today. Googling has turned up > > nothing; I'm currently trying to glean some useful netflow data. Just > > wondering if this is local, or if others have suddenly seen the same. > > I'm seeing them too (also BIND 9.2.1). They seem to come in bunches. > It looks like they started at a little after 5am (CST) today. They started yesterday evening here but we're only seeing it on some of the name servers. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?
On Sun, 8 Feb 2004, Alexander Hagen wrote: > Now why is the CX-FEIP-2TX so much cheaper than the PA-2FE-TX ? I can't say why cisco charges so much for the PA-2FE, but the CX-FEIP-2TX is cheap because it's ancient (EOL'd some time ago) and probably not capable of running both ports at line-rate anyway. Don't buy them unless you're hooking up very low traffic LANs. Your best bet is PA-FE's and enough VIP2-50's for the number of PA-FE's you need. Also, watch out for PA-2FEISL-TX's. They're also not capable of handling both interfaces at line-rate. That's why they're available for just a few hundred $. http://www.cisco.com/warp/public/cc/pd/ifaa/ifpz/prodlit/969_pp.htm -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: other virus damages/costs.....(hello skynet.be ?)
On Mon, 2 Feb 2004, Mike Tancsa wrote: > Looking at my disk stats, my mail storage spool has grown by 15% in the > past week not due the deluge of viruses which I can block and reject, but > in large part to those idiotic "Hi, I am sorry in a happy idiotic way to > inform you that the message you sent has a virus" messages As almost > all of them forge their email address, what is the point of warning the > "sender." Even better, I wake up this am to 285 (and growing) messages > below telling me that someone at skynet is trying to send me a virus > message and it cc's 64 other people. Nice. Enough people are sufficiently annoyed by antivirus notifications/advertisements that they're starting to ask for DNSBLs of systems that send them. I suspect before long, there will be some. But this really doesn't seem to be NANOG material. Try spam-l or spamtools. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Did Wanadoo, French ISP, block access to SCO?
On Sun, 1 Feb 2004, Sean Donelan wrote: > EWeek is reporting an anonymous source that Wanadoo, a major French ISP, > has stopped all traffic to SCO's web site? > > Is this true? Have any other ISPs taken similar action? Can you block access to something that doesn't exist? ; <<>> DiG 9.2.2-P3 <<>> www.sco.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10008 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.sco.com. IN A ;; AUTHORITY SECTION: sco.com.1582IN SOA ns.calderasystems.com. hostmaster.caldera.com. 2004020103 3600 900 604800 1800 sco.com still has an A record, but it seems filtered. I can't ping / traceroute / tcp/80 it. Their MX is still reachable (ping / tcp/25 at least). -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: CIsco 7206VXR w/NPE-G1 Question
On Fri, 30 Jan 2004, Michel Py wrote: > That would be where the NPE-G1 would be better than an RSP8; however Isn't it somewhat wrong to compare the NPE-G1 to any RSP since most of the packets, most of the time, are handled by the processors on the VIPs and never bother the RSP other than flowing through its SRAM? Or at least a comparison should be NPE-G1 vs some combination of RSP and VIPs. If you take a 7500 as far as you can (RSP16, VIP6-80s), then how does it compare to a 7206VXR/NPE-G1? Cisco plainly admits that the GEIP tops out at around 400mbit/s, but it's based on the rather old VIP2-50. Anyone know if they plan to put out a more capable GEIP, perhaps based on the VIP6-80, which theoretically would double the GEIP's throughput? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: New IPv4 Allocation to ARIN
On Sun, 18 Jan 2004, Petri Helenius wrote: > >It's those dang Nachi-sized ICMP echo/echo-replies. We block those at all > >our transit points and dial-up ports. Nachi was killing our cisco ^^^ > >access-servers until we did this to stop the spread. > I know what they are and how to get around them. I just look down on people > dropping my packets in their backbones without reason. I wasn't joking or kidding about the above. Many others who run dialup services saw similar problems (both with cisco and other vendor's gear). Blocking these size/type packets, as per suggestions from cisco's web site was the easiest way to keep our network up, and prevent additional infections both into and out from our customers. Have others who implemented them dropped their echo/echo-reply 92-byte filters? If tracert defaulted to udp like just about every "unix" traceroute or allowed you to vary the packet size or protocol, this wouldn't be as much of an issue. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: New IPv4 Allocation to ARIN
On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote: > Of course, if they tried to run the test *before* assigning the > block, it should fail, because it should still be in everyone's > bogon filters. ^_^ So before assigning a block, mark it as "Pending assignment" or "Assigned to IANA". > their bogon filters. It would also require that the RIR > to whom the block has been assigned arrange with their > upstream to have the test block routed; That's trivial. > perhaps they could use the top block from the new assignment for the > test subnet, and then begin assigning from the bottom; hopefully by the > time any substantial portion of the space has been allocated, the need > for the test subnet will have passed, and the block can be used as part Unfortunately, I doubt that. ARIN's been assigning from 69/8 for a year or more and there are still lots of networks filtering it. If RIR's were to setup such testing sites, it'd probably make sense to simply reserve the minimum allocation size block from each IANA assigned block and assume it will be used for reachability testing pretty much indefinitely. Maybe they could be recycled after a number of years. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: New IPv4 Allocation to ARIN
On Fri, 16 Jan 2004, Petri Helenius wrote: > >I wouldn't be surprised if more people are filtering 69/8 now than before, > >roughly 40% of the spam hitting my servers is from there. That's likely going to be true of each newly allocated block as spammers move around, move into them, or even scam the RIRs into allocating IPs directly to them. > It also seems that 69box.atlantic.net (or someone nearby) is filtering > one specific size of ICMP packets. > > Is certain packet size also considered a "bogon" or is this something > that will eventually be removed > from the filters? It's those dang Nachi-sized ICMP echo/echo-replies. We block those at all our transit points and dial-up ports. Nachi was killing our cisco access-servers until we did this to stop the spread. Unfortunately, this breaks Windows tracert as it uses 92-byte echo requests. Use a "real" traceroute, and you won't see this problem. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: New IPv4 Allocation to ARIN
On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote: > On Fri, 16 Jan 2004 11:34:18 EST, [EMAIL PROTECTED] said: > > > There are still numerous networks blocking 69/8. Probably more blocking > > 70/8 as most of the people who were behind the times with their filters > > blocking 69/8 fixed that /8 but still don't keep their filters up to date. > > > > http://69box.atlantic.net/cgi-bin/bogon > > Can an early adopter of 70/8 please give Jon an address? :) I was actually going to suggest that, but I've been pretty busy lately and can't guarantee how fast I'd get it setup and testing. If someone did want to lend me a small chunk of 70/8 (whatever minimum size might make it through most prefix length filters) I would have no problem with making a "70box" interface on 69box and testing reachability to the hosts checked when 69box was setup. Alternatively, the RIRs might consider doing this sort of thing before allocating IPs from new blocks. I know it's not their job to make sure IPs are routable (especially not on every remote network), but as holders of all the IPs, they are in the best position to setup such test sites that would expose problems before they're dumped on members. The only slightly tricky part is coming up with a large population of remote IPs to test for reachability. Or, perhaps IANA could even do this before assigning an IP block to an RIR. If either type of the above orgs wants to do this, I'm sure people from the community would be willing to help out if they don't have or don't want to dedicate staff to this type of project. It could be left to the community (or those who have been allocated or expect to be allocated IPs from these blocks) to try to notify broken networks about their outdated filters. I know from my own experience with it, that it's a pain to do since it's not always clear who to contact, and even when you get the right contact, they may not understand/care about the problem. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: New IPv4 Allocation to ARIN
On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote: > On Thu, 15 Jan 2004 15:31:37 PST, Steve Conte <[EMAIL PROTECTED]> said: > > > This is to inform you that the IANA has allocated 70/8 to ARIN. > > All you early adopters of 69/8 now have somebody to share your pain with There are still numerous networks blocking 69/8. Probably more blocking 70/8 as most of the people who were behind the times with their filters blocking 69/8 fixed that /8 but still don't keep their filters up to date. http://69box.atlantic.net/cgi-bin/bogon -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: PC Routers (was Re: /24s run amuck)
On Wed, 14 Jan 2004, Stephen J. Wilcox wrote: > Have been discussing PCs for a bit but as yet not deployed one, as I > understand it a *nix based PC running Zebra will work pretty fine but > has the constraints that: > > o) It has no features - not a problem for a lot of purposes Which "no features"? I haven't played with zebra yet, but my understanding is that it supports a large subset of the IOS BGP config language including application of route-maps to incoming/outgoing routes, and therefore things like prepending, setting metrics or preference, etc. Am I mistaken? > o) On a standard PCI but your limit is about 350Mb, you can increase that to a > couple of Gb using 64-bit fancy thingies The application where I'm caring for one of these is around a dozen T1's to several different transit providers on a Gateway router. According to Imagestream, this router can handle up to 1 OC3 at "wire speed". We're obviously not pushing anywhere near that through it. The same customer has a handful of Rebel routers used for T1s/ethernets within their network. > o) This may be fixed but I found it slow to update the kernel routing table > which isnt designed to take 12 routes being added at once > > Icky, could perhaps cause issues if theres a major reconvergence due to an > adjacent backbone router failing etc, might be okay tho I've never timed it, but I haven't noticed it taking routes any slower than the ciscos I'm used to. > o) As its entirely process based it will hurt badly in a DoS attack > > This is a show stopper. I need the box to stay up in an attack and be responsive > to me whilst I attempt to find the source. But it's got so much more CPU power than comparably priced ciscos...and most of the cisco gear I've worked on doesn't to terribly well under DoS...so I don't see a distinction here. Either way, getting DoS'd sucks, but I've never seen a DoS hit any of the Imagestreams, so I don't know how it copes. > I'm not an expert in PC hardware, so I do struggle to work out the > architecture that I need and I'm sure its possible to build boxes that > are optimised for this purpose however I'm still not convinced that the > box can keep up with the demands of day to day packet switching - I'd Their bigger routers, I'm pretty sure, have multiple PCI buses, so if you wanted to push lots of traffic, careful planning of which bus you put each card in may make a difference. Their tech support is pretty responsive, so they'd be the place to go with technical/architectural questions. Another nice feature is with iptables, they can now do stateful firewalling / connection tracking. ------ Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: /24s run amuck
On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote: > I stand corrected. The following page comparing Cisco and Imagestream > is quite interesting. > > http://www.imagestream.com/Cisco_Comparison.html > > How many of you would buy an Imagestream box to evaluate for > your next network buildout? I've been managing a couple of these for a customer for a couple of years. They work. The main problem I'd have with trying to use them on our network is a lack of certain features I'm either used to or totally dependent on in our ciscos. i.e. MPLSVPN (lack of it) would be a show stopper for us. The gated-public they come with lacks features...AFAIK there is no support for communities, prepending, etc. Their current software image does include zebra now, but last I looked it was not officially supported. For a relatively simple end-user BGP customer, it works fine. And the nice thing is it's PC-type hardware so if you need more RAM, just throw in another dimm. No worries about the global routing table growing and having to buy a bigger router because your year or two old one no longer supports enough memory to hold full routes. I suspect the CPUs are upgradable as well...but I've never actually touched the hardware...I've always worked on it remotely. OS-wise, it's a minimal Linux distribution with a menu interface (or you can drop to a shell) and there is a little space on the flash to add additional software if there something you want that they don't supply. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: GSR, 7600, Juniper M?, oh my!
On Wed, 7 Jan 2004, Michel Py wrote: > > I've heard conflicting reports, is a 7206 faster at packet switching > > than a 7507? > > Greatly depends what's inside it. Sure, if your 7507 has an RSP2 (which > basically is a 3640 on a blade) and legacy (meaning, non-dcef) blades a > 7206 will beat the crud out of it. However, a loaded 7206 with a low-end > NPE can choke when the 7507 with an RSP16 and recent VIPs will sail > smoothly. Even comparing a VXR with NPE300 to a 7500 with RSP4 and VIP2-50's, the 7206 will melt down and cease functioning properly on traffic levels the 7500 handles without breaking a sweat. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Stopping ip range scans
On Mon, 29 Dec 2003 [EMAIL PROTECTED] wrote: > Recently (this year...) I've noticed increasing number of ip range scans > of various types that envolve one or more ports being probed for our > entire ip blocks sequentially. At first I attributed all this to various What ports are being probed? SOP for script kiddies for at least 10 years has been find a box you can hack root on, install a vulnerability scanner for the remote-root vulnerability d'jour, fire it up, and come back in a day or so to see what you've found. Then hack the newly found vulnerable boxes, install the scanner on each of them, and repeat the process. Some of these packages have done things like download the .com zone (back when F allowed this) and scan all NS's for bind vulnerabilities. Others just pick a random IP and scan sequentially higher IPs. More recently, some packages have combined the scanning and hacking. If you don't want the scans, block everything you don't want at your router. Otherwise, just make sure your systems are up to date. A common OS with unpatched known remotely exploitable holes doesn't last long on an unfiltered internet connection. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: a note to those who would automate their rejection notices
On Sat, 27 Dec 2003, Paul Vixie wrote: > today AOL thoughtfully supplied the following to [EMAIL PROTECTED]: Did they really? > [EMAIL PROTECTED] > SMTP error from remote mailer after initial connection: > host mailin-02.mx.aol.com [64.12.137.89]: > 554-(RLY:B1) The information presently available to AOL indicates this > 554-server is generating high volumes of member complaints from AOL's > 554-member base. Based on AOL's Unsolicited Bulk E-mail policy at > 554-http://www.aol.com/info/bulkemail.html AOL may not accept further > 554-e-mail transactions from this server or domain. For more information, > 554 please visit http://postmaster.info.aol.com. > > this was in response to what the e-mail community refers to as a "trivial > forgery", whose salient headers were: > >Return-path: <[EMAIL PROTECTED]> >Received: from port-212-202-52-233.reverse.qsc.de > ([212.202.52.233] helo=1-online-poker-video.com) > by mx01.qsc.de with esmtp (Exim 3.35 #1) > id 1AQIw9-bF-00; Sun, 30 Nov 2003 05:11:58 +0100 >Message-ID: <[EMAIL PROTECTED]> >From: "Ediva Clapp" <[EMAIL PROTECTED]> You didn't include much of the bounce, but from what you did include, I'm guessing this is similar to lots of spam bounces I've gotten. port-212-202-52-233.reverse.qsc.de originated the message (most likely via a trojan spam proxy/emitter thats infected it) and sent the spam through a local mail server, mx01.qsc.de. mx01.qsc.de is actually the system blacklisted by AOL. When it failed to deliver this spam to AOL, it tried returning it to the "sender", which likely landed the message in a catch-all email box at vix.com. Assuming that's what happened, this isn't AOL's fault at all. > them was "must scale indefinitely". a simple application of this principle > toward anti-virus and anti-spam automated rejection notices is to ignore > the envelope and ignore the header and just focus on the peer IP address: > >To: [EMAIL PROTECTED] That too will bounce. I haven't checked, but I'd bet port-212-202-52-233.reverse.qsc.de (212.202.52.233) is an end-user running some flavor of Windows and does not run an SMTPd. > "don't make me stop this car, kids." > > ...and to all a good night. When did this become SPAM-L? This sort of thing's been talked about on several of the "other spam lists" for a few weeks since some spamware app started using "local MX's" as relays, likely to circumvent DNSBLs and outbound 25/tcp blocking. We're all going to have to come up with patches or hacks to "rate-limit" outgoing email by originating IP, or things are really going to get ugly as ISPs start blacklisting each other's mail servers to stop this sort of relayed spam. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: IANA down?
On Sun, 21 Dec 2003, Etaoin Shrdlu wrote: > It's you, or something in between. FYI, a traceroute dies at about Los > Nettos, in SoCal (at 207.151.118.18), and I know that they don't ordinarily > block ICMP... I _can_ ping www.iana.org, can't traceroute to it, and the actual web page eventually came up very slowly (long delay). Traceroutes die with either: 15 POS7-0.GW6.LAX9.ALTER.NET (152.63.116.101) 87.960 ms 88.537 ms 86.978 ms 16 icann-gw.customer.alter.net (157.130.247.6) 272.316 ms 128.823 ms 229.495 ms 17 * * * or 15 POS7-0.GW6.LAX9.ALTER.NET (152.63.116.101) 87.498 ms 93.552 ms 87.251 ms 16 icann-gw.customer.alter.net (157.130.247.6) 92.130 ms 93.301 ms 90.516 ms17 * icann-gw.customer.alter.net (157.130.247.6) 91.212 ms !X * 18 * * * Somebody DoS'ing www.iana.org? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Bandwidth Control Question
On Fri, 19 Dec 2003, Randy Bush wrote: > > > PA-2FE-FX$5000/card$25.00/Mbit > > $2,000 on ebay And for the 7500s, you can get POSIP full cards for $250-$1000 depending on fiber type, also from ebay. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AOL postmaster (new request)
On Tue, 2 Dec 2003, Derrick Bennett wrote: > I really hate doing this but after 5 days and no one at AOL's helpdesk > can even tell me why our subnets are being blocked. Can someone with the > Postmaster helpdesk level 2 or higher please contact me. I have a > ticket, I have followed all the rules, and I am still being told that no > one knows why the block is there and no one knows when I will get a I'd have thought this was common knowledge by now...enough of us have gone through it. Do you currently get scomp reports from AOL for your IP space? If not, tell their helpdesk people you want to get setup for scomp reports. The most likely reason for AOL blocking you is they've received greater than some threshold of AOL user spam complaints for email originating at or relayed through your network. Have you verified that they're blocking entire subnets or all of your IP space, or is it just one or a few mail server IPs? If it's just a few IPs, the quickest fix is to add some additional IPs to your outgoing mail server(s) and make them talk to AOL using the new IPs. That will get mail flowing again, but you still need to track down and deal with whatever problem caused them to block you, or your new IPs will end up blocked as well. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Above.net problems ??
On Tue, 25 Nov 2003, hostmaster wrote: > anyone having trouble with above.net at the moment ? I'm sure somebody is. I have a problem with the way they filter portions of the internet (which I'm just assuming has not been resolved internally yet). Perhaps you're asking about their outage in/to Europe today which they say is being caused by a failure in undersea fiber. Apparently that's going to take weeks to get fixed, so they're looking at alternative connectivity to replace it while it's down. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Reachability problems for www.listen-to.com
On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > > We received a 69.144/16 from ARIN and spent the following few months > > requesting numerous operators to take that space out of their filters. > > Apparently for various historical reasons many operators filter the entire > > 69. Block. That could be part of the problem. > > http://not69box.atlantic.net/ > http://not69box.atlantic.net/cgi-bin/bogon If you tried these links recently and got an odd message about "Your web site is currently down.", please try again. Someone just pointed out that I'd managed to break the site for access from outside our network while making some IP changes on it a few weeks ago. I've tested it from off-net now and verified it's back up at both not69box.atlantic.net (209.208/17 IP) and 69box.atlantic.net (69/8 IP). -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Reachability problems for www.listen-to.com
On Thu, 13 Nov 2003, Fisher, Shawn wrote: > We received a 69.144/16 from ARIN and spent the following few months > requesting numerous operators to take that space out of their filters. > Apparently for various historical reasons many operators filter the entire > 69. Block. That could be part of the problem. http://not69box.atlantic.net/ http://not69box.atlantic.net/cgi-bin/bogon That second page makes it really easy to see if 69/8 filters are the problem. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: No "encapsulation" command on IOS 12.2(12a) ??
This is what http://cio.cisco.com/go/fn is for. You need a "plus" version for VLAN support on the 3620. i.e. IP Plus, Enterprise Plus, etc. Your IP version below doesn't include the feature you're looking for. On Fri, 24 Oct 2003, Roman Volf wrote: > > Show Version: > > Cisco Internetwork Operating System Software > IOS (tm) 3600 Software (C3620-I-M), Version 12.2(12a), RELEASE SOFTWARE (fc1) > > flash image: > System image file is "flash:c3620-i-mz.122-12a.bin" > > > I'm trying to configure a FastEthernet sub interface for 802.1q VLANs, but > theres no encapsulation command. I've googled it up for about 2 hours and > have come up with nothing... the following command sequence is documented > dozens of times: > > As shown on: > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/8021q.htm#wp3944 > interface fastethernet slot/port.subinterface-number > encapsulation dot1q vlanid > > > Any help would be appreciated. > -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Pitfalls of _accepting_ /24s
On the topic of announcing PA /24's, what procedures do you take to make sure that a new customer who want's to announce a few PA (P being one or more P's other than yourself) IP space is legit and should be announcing that IP space? I'm not sure what they do internally, but I know Sprint, C&W, UUNet, Genuity, Level3, MFN and Broadwing will all comply with a customer's request to route space with nothing in writing other than an email request / webform filled out / route objects properly setup. A client multihomed to a few of those providers (and who has a /24 from each provider) just signed up with a 4th provider. P4 wants an LOA on company letterhead from each other P authorizing the client to announce those other P's /24's. This is the first time I've ever heard of such precautions. The client was really not ammused, but I explained that it's possible P4 (who has a rep for doing business with spammers) has gotten burned by customers announcing hijacked (or otherwise unauthorized) blocks and just wants to be extra careful now. Personally, I just check whois, and if it looks legit, I'll listen to those routes and even create their route objects as necessary, since some of our upstreams require that. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Extreme BlackDiamond
On Mon, 13 Oct 2003, Richard A Steenbergen wrote: > Is it just me, or could nanog really benefit from being moderated, or at > least nanog-post being access controlled? God knows why I've kept skimming > it even after the majority of actual clueful network operators have long Are you volunteering to be the moderator? Moderation is alot of work, and/or would slow the list down to a crawl. Perhaps limiting who can post would be somewhat useful though. Perhaps only people actually operating "real networks", where "real networks" are somehow defined by their size or their participation in BGP. >From here, [EMAIL PROTECTED] looks like a relatively small colo customer. What's he looking at big switches for? More importantly, does anyone care? As long as I'm ranting, what about all the recent "could someone with clue from Network X please contact me privately?" posts? If I was that person at Network X, I'd want to know what your issue was before I bothered contacting you (very few of these posts have included any problem description)...both so that I could look at the problem (if there was one) before contacting you, so that I could have the appropriate person contact you (if I'm not it), and so I could not waste the time if you're trying to contact me about an issue (or non-issue) you have no business wasting my time with. network:Class-Name:network network:ID:332.209.51.128.0/19 network:Auth-Area:209.51.128.0/19 network:Network-Name:eservers-00037-01 network:IP-Network:209.51.159.224/29 network:Organization;I:eServers dot biz network:Tech-Contact;I:[EMAIL PROTECTED] network:Admin-Contact;I:664.dv2.net network:Created:20020906 network:Updated:20020906 network:Updated-By:[EMAIL PROTECTED] -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AOL mail server problems?
On Sun, 12 Oct 2003, Brian Bruns wrote: > I've noticed some weird things going on with AOL's smtp servers today - > 2003-10-12 12:37:48 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com > [64.12.138.89] closed connection in response to initial connection > 2003-10-12 12:37:55 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com > [64.12.136.153] closed connection in response to initial connection > 2003-10-12 12:38:35 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com > [152.163.224.122] closed connection in response to initial connection They're probably blocking you. Have you gotten many scomp complaints recently?...perhaps a big backlog of them that you/your abuse people haven't dealt with? Last time I dealt with AOL blocking us, that was the cause, and the result was mixed. Sometimes we'd get the connection closed as above, sometimes a 550 message telling us we were blocked. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Block all servers?
Didn't susan ask for this topic to move off-list? Anybody (no...not Merit) care to step up and create a nanog-issues list where such discussions can continue unmolested when the nanog topic police declare an important topic off-topic? I can understand how some operators might not want to hang out with the masses in spam-l or spam-tools, or waste their time with the noise and kooks in nanae. But these are some pretty serious problems and if we can't come up with solutions soon, the internet is pretty much totally screwed. See more below On Sat, 11 Oct 2003, Petri Helenius wrote: > Secondly, it´s very hard, if impossible to come up with a NAT device which > could translate a significant amount of bandwidth. Coming up with one to put > just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) So do the NAT closer to the edge. If you're providing DSL, do many of your customers use DSL modems plugged into their PCs (USB, PCI)?, or are you selling/leasing them DSL routers? In the very beginning, we either sold or gave PCI or USB DSL modems to our customers, but those were usually a PITA to support due to problems with windows, driver issues, hardware becoming unsupported when customers upgraded to the next version of windows, etc. Now, we only hook up DSL customers using DSL routers, and all the DSL routers we've ever used can do NAT, so there'd be no need to try to do NAT at the DSL agg router. I suspect we could selectively do NAT or not for dial-up customers on our access-servers...though I'm not sure how the very large (like AS5400, AS5800) units would fare trying to do NAT for several hundred dial-up sessions. But why all this talk of NAT? Even if we all universally deployed it on monday, it wouldn't solve the problem. All it would do is keep the spammer/hackers from turning grandma's PC into a web server/proxy. She can still catch tuesday's email virus which will cause her PC to hang out in some IRC channel or monitor some web page, and be remotely controlled for the purpose of sending spam, participating in DDoS floods...and now things just got much harder to track down. When you get complaints that a.b.c.d is participating in some kind of attack, how do you tell which of the dozens or hundreds of customers NAT'd to that IP is responsible/infected? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003, Joe Boyce wrote: > VA> Personally, I think preventing residential broadband customers from hosting > VA> servers would limit a lot of that. I'm not saying that IS the solution. > > It's not like those customers are aware they are hosting servers, they > most likely were exploited and are now unaware they are hosting > websites. That's obviously the case. No spammer has "thousands" of legitimately purchased DSL/Cable connections. The article pretty clearly says they're exploiting insecure windows (isn't that redundant?) boxes. Trouble is, how do you stop this? Just blocking common ports like 80 by default (unless the customer plans to actually run a web server and asks for the filter to be removed) won't work. The spammers can just as easily spam with urls containing ports (http://blah.biz:8290/) if they find 80 is filtered or find that filtering has become common. So other than waiting some infinitely long time for a secure out of the box version of windows (and for everyone to upgrade), how do you stop this? Widespread deployment of reflexive access lists? Force all broadband customers to use NAT and let them forward ports or entire IPs to their private IP servers if they have any? Wait for the legal system to catch and prosecute a few people who do this and deter others from trying it? Convince registrars to kill domains that are clearly being used by thieves? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: ftp.cisco.com broken ?
On Tue, 7 Oct 2003, Ezequiel Carson wrote: > can you resolve ftp.cisco.com? > > [EMAIL PROTECTED] /]# ping ftp.cisco.com > ping: unknown host ftp.cisco.com > [EMAIL PROTECTED] /]# Probably something to do with the DDoS they said they were under yesterday. Non-authoritative answer: Name: ftp.cisco.com Address: 64.102.255.95 -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re[2]: CCO/cisco.com issues.
On Mon, 6 Oct 2003, Allan Liska wrote: > KS> The following well-remembered lines come to mind here, and excuse me if > KS> you hear a slight hysterical laughter from my direction: > > I don't know what your post has to do with the original topic, but if > you don't like the way NONOG is moderated, please feel free to start > your own Network Operators mailing list. I'm only guessing here, but I think what he may have meant was: First They Came for the IRC bots and I did not speak out because I did not run a bot. Then They Came for the IRC servers and I did not speak out because I did not run an IRC server. ...skip a few years... Then They Came for the DNSBLs and I did not speak out because I did not run a DNSBL. Now that they've come for cisco, maybe law enforcement, network operators, and router vendors will all get their $h!t together and do something to put a stop to these DDoS attacks that have been going on in various forms for several years. A handful of people (an assumption on my part) have the power / distributed bandwidth to bring just about any internet site/network to its knees using the distributed.net meets DoS tools they've created and distributed to thousands, perhaps millions of internet connected windows boxes. Anyone who doesn't think that's an operational issue, just wait until it bites you on the ass. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: what happened to ARIN tonight ?
On Sun, 28 Sep 2003, Robert Boyle wrote: > I see them via a UUNet announcement through Veroxity and Sprint transit, > but I don't see it via any other peer or transit provider. Are they > multi-homed? I only see them via uunet as well. I noticed earlier that they were supressed due to dampening (must have had some issues with their connection and flapped one too many times). They seem to be back now. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AOL Proxy Servers not connecting via https - resolved
On Thu, 25 Sep 2003, Ron da Silva wrote: > > On Thu, Sep 25, 2003 at 06:11:23PM -0400, Brian Bruns wrote: > > > > This might be helpful to people setting up ACLs and the like: > > > > http://webmaster.info.aol.com/proxyinfo.html > > I think the point that Mike was making is that RFC1918 > space is 172.16.0.0/20 not a /8. At least two people have posted incorrectly about 172.16, wrt who has what and how big it is. Rekhter, et al Best Current Practice [Page 3] RFC 1918Address Allocation for Private Internets February 1996 3. Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0- 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) AOL has NetRange: 172.128.0.0 - 172.191.255.255 CIDR: 172.128.0.0/10 NetRange: 172.192.0.0 - 172.211.255.255 CIDR: 172.192.0.0/12, 172.208.0.0/14 and apparently a bunch of other blocks. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: williams spamhaus blacklist
On Wed, 24 Sep 2003, Leo Bicknell wrote: > What you're missing in my argument is that it doesn't matter. I > have no idea who Eddy Marin is, nor do I care. Blocking wcg's > corporate mail servers is not the solution. Sure, it may get > someone's attention at wcg, but it may also harm a lot of "innocent" > communications, sales talking to clients, other wiltel customers > requesting support, heck, the secretary ordering lunch to be > delivered. But it's ok when AboveNet does it?...or actually does much worse by secretly and arbitrarily blackholing various networks at will, while advertising connectivity to those networks to their BGP customers and peers? This means anyone connected to AboveNet will be unable to reach those blackholed victims if the routes to those destinations propogated by AboveNet appear to be their "best route" to the affected networks. This breaks connectivity even though we have multiple other transit providers. This is much worse than a Spamhaus (or any other DNSBL) listing since anyone using such services does so by choice and can decide for themself what action to take, if any, for listed addresses. With AboveNet blackhole routing, our only option, once we're aware of the problem, is to make changes to our routing policy and force traffic away from AboveNet and onto one of our other transit providers. We only find out about such AboveNet blackhole routes when we open a ticket with AboveNet to ask why your network is broken when our customers complain of networks they can't reach when using our service (i.e. banks that can't reach their staff training web sites), but they can reach from other service providers, so they inform us that our network is broken. Who's attention is AboveNet trying to get? Anyone taking BGP routes from AboveNet, or worse yet, single homed to AboveNet, ought to be aware of this policy. At the very least, you should make sure whoever does your BGP is aware of it and knows how to reroute traffic when the "best route" doesn't actually work. You also might bring it up with your sales person when it's time to renew. The central image on www.above.net boasts of "Unconstrained Information Exchange". I wish that were true. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003, Geo. wrote: > If any of the dos'ed to death rbls really want's to get back at the spammers > it's easy. Write software that allows any ISP or business to use their mail > servers and their customers/employees (via a foward to address) to maintain > their own highly dynamic blacklist. Already been done. http://spamikaze.nl.linux.org/ -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: monkeys.dom UPL being DDOSed to death
On Tue, 23 Sep 2003, Jason Slagle wrote: > It's somewhat funny. Quite some time ago, us IRC server operators warned > about this same thing, and were mostly just told to "not run IRC servers." A private IRC server with one user isn't much fun. > The anti-spammers will likely just get told to "not run DNSBL's." This > only works up until the point that it's YOUR service thats getting hit and > people tell you to stop running it. A private DNSBL with one user works just fine. If whoever is behind this succeeds in "driving all the DNSBLs off the net" what they'll really do is drive them all underground. In the short term, lots of networks will lose access to the public DNSBLs they've been using. The spammers will rejoice, but that will only fuel the creation of hundreds (maybe thousands) of new private DNSBLs. Necessity is the mother of invention. Those with clue, will run their own. Alot of those without will too. Some will likely even latch onto the "last snapshot" they got before the DNSBLs they were syncing went offline/private. These will, of course, get out of date and out of sync almost immediately. Once you host a customer who turns out to be a spammer, good luck getting those IPs removed from 1 private DNSBLs. E-mail abuse management may be the next field to really open up with job opportunities as networks will have to contact a large portion of the internet to try to get IPs cleared from everyone's private DNSBL...most of which will be poorly documented if at all. Just over 2 years ago, I posted a message titled "Affects of the balkanization of mail blacklisting" about how ex-MAPS users were using out-of-sync copies of the MAPS DUL after MAPS went commercial and those networks presumably lost access to the data. I guess that was just the tip of the iceberg. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: VeriSign SMTP reject server updated
On Sat, 20 Sep 2003, Avleen Vig wrote: > > > We are interested in feedback on the best way within the SMTP protocol > > > to definitively reject mail at these servers. One alternate option we > > [snip] > > The correct "solution" is to remove the wildcarding. > Until that happens, the best thing to do IS accept and then reject mail. > This is significantly better than leaving it to expire in a spool after > 5 days. Did someone already suggest adding an MX to the * record that points to a nonexistent host (obviously in some other TLD)? At least in my environment (sendmail/bind9/Linux), I can setup a wildcard record with an A record and an MX record pointing to a bogus host, and mail bounces immediately. 550 5.1.2 <[EMAIL PROTECTED]>... Host unknown (Name server: nomail.invalid.: host not found) I think the whole wildcards in .com/.net is a bogus idea...but this sort of setup would at least keep lots of mail from trying to get delivered to VeriSlime. I've already had to fix one old SpamAssassin installation that was scoring mail based on hits in one of the dorkslayers.com dnsbls that no longer exists. It seems dorkslayers.com has decided to fix this by registering some name servers again. Until recently, they'd taken the name server records off the domain, and so VeriSlime had hijacked dorkslayers.com, turning it and all its subzones into a 0/0 dnsbl. modified: 2003-09-16 15:52:46 UTC JORE-1 -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Worst design decisions?
The off-topic nanog thread that won't die (where are the topic police?...never around when you need one)...and then just when you think it has died, some member's virus infected Microsoft Windows PC (hey is that redundant?) replies to you with the thread's subject and no body other than a virus attachment, even though you never replied (on-list) to the thread. Whoever you are, do everyone a favor and turn off your PC. Received: from speedbd.speedbd.net (212-165-128-186.reverse.newskies.net [212.165.128.186] (may be forged)) by sloth.lewis.org (8.11.6/8.11.6) with SMTP id h8L7A4P09167 for <[EMAIL PROTECTED]>; Sun, 21 Sep 2003 03:10:19 -0400 My vote for worst design decision? Easy. Lookout Virus Express. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Providers removing blocks on port 135?
On Sat, 20 Sep 2003, Justin Shore wrote: > This veers off the original topic. Of course I don't think any of us > recall what that was anyways... I remember back when I first started > using the DUL. Of all the DNSBLs I used at the time it blocked the most > spam of any of them. I mean that by long shot. About the time the DUL > and other MAPS lists went commericial is about the same time I noticed > fewer and fewer hits on the DUL. We still pay for an AXFR (IXFR) of it > but it doesn't block nearly as much as it used to. At one time, signing up for "throwaway dial-up accounts" was a common spammer MO. We got hit a couple times, and they were like a plague of vermin [the spammers]. They'd sign up giving us bogus contact info and a freshly stolen (active) credit card. When the account was activated, they'd dial in using half a dozen or so lines and pump out as much spam (direct-to-MX) as they could. The really annoying bit is, we'd terminate them, they'd call right back, and sign up again, giving different bogus info and card numbers. We'd block them by ANI, and they'd block caller-ID when calling us. I ended up being forced to block access to some of our dial-up numbers both by ANI, and if there was no ANI, and then had to setup exceptions for a few customers in those areas who we never got ANI for. When I tried getting police in their areacode to investigate, they had no interest/were too busy...even though I could give them phone numbers the accounts were used from and stolen credit cards. To put a little operational spin in here...how many of you run dial-up networks where you refuse logins unless you get ANI?...and if you do this, do you also maintain an ANI blacklist? Anyway...they moved on to proxy abuse, then outright theft by creating their own proxies on compromised MS Windows boxes. Both methods have the advantage of totally hiding the spammer from the recipients and bandwidth amplification. I imagine you could utilize multiple spam proxies on broadband connections pumping out your spam while connected via dial-up yourself. If you look at the numbers at http://njabl.org/stats, about 5% of the hosts that have ever been checked are currently open relays (or nobody's bothered to remove them). IIRC, at one point, this was nearly 20%. 13.6% are open proxies...and the disparity is definitely still growing, with about 10x as many open proxies as relays being detected daily. Unfortunately, the new breed of purpose-built spam proxies are generally not remotely detectable, so the proxy percentage would be even higher if it included the newer spam proxies. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Verisign's New Change and Outdate RBL's
On Tue, 16 Sep 2003, Patrick Muldoon wrote: > Was playing with a test box here at home. Installed SpamAssassian from a > newely cvsup'd ports tree on a FreeBSD box, and was surprised to see > messages getting marked as received in blacklists that no longer exist. > Most noteably ORBS. Since this was a fresh Install I hadn't gone > through and removed the dead RBL's from 20_head_tests.cf yet. Since > dorkslayers doesn't exist. any queries for it are returning that > infamous sitefinder address. > > [EMAIL PROTECTED] doon]$ host 34.131.246.64.orbs.dorkslayers.com > 34.131.246.64.orbs.dorkslayers.com has address 64.94.110.11 I wonder if they've been playing with these wildcards on and off for a few weeks? I have a script that checks for our mail servers in a bunch of popular DNSBLs periodically. On and off over the past few weeks, I started getting notifications from that script that all of our servers were in the various dorkslayers.com DNSBL zones. The dorkslayers.com DNSBLs were all shut down, AFAIK, at least several months ago. I got this notification again last night, and finally commented out the tests for those zones. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: 92 Byte ICMP Blocking Problem
That's really weird. I've been running with route-map nachiworm permit 10 match ip address nachilist match length 92 92 set interface Null0 ip access-list extended nachilist permit icmp any any echo permit icmp any any echo-reply ip policy route-map nachiworm on transit interfaces and the virtual-templates of all our access servers that can do it properly (just blocking echo/echo-reply on the older ones that can't do the policy) and haven't heard about any customer complaints other than "I can't ping" in the places where we've blocked all echo/echo-reply. The routers doing this (7200/7500)'s are all running 12.2(1-3)S. Access servers are running mostly 12.1M or 12.2XB code. On Fri, 12 Sep 2003, William Devine, II wrote: > I had the exact same problem. As soon as I turned it on, within minutes I > had customers calling that could no longer FTP into Win2k servers and some > that couldn't SSH into their Linux servers. > I've since turned it off as well. > Are there any other known ways to block this? > > - Original Message - > From: "Chris Adams" <[EMAIL PROTECTED]> > To: "Steven M. Bellovin" <[EMAIL PROTECTED]> > Cc: "Nanog" <[EMAIL PROTECTED]> > Sent: Friday, September 12, 2003 1:32 PM > Subject: Re: 92 Byte ICMP Blocking Problem > > > I don't have it in place anymore (because it caused more problems than > > it fixed), so I can't test this. In any case, the route map only > > matched 92 byte ICMP echo and ICMP echo-reply packets, which is not what > > PMTU uses, so it shouldn't have had a problem. Also, I know that the > > MTU along the path for the person in the office is the same all the way, > > so PMTU shouldn't come into play there. ------ Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Tier-1 without their own backbone?
On Wed, 27 Aug 2003, Sean Crandall wrote: > I have about 5 GB of IP transit connections from Level3 across 8 markets > (plus using their facilities for our backbone). Level3 has been very solid > on the IP transit side. > > MFN/AboveNet has also been very good to us. Another happy Level3 customer. We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. Or as they say, I encourage my competitors buy from them. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Re[2]: relays.osirusoft.com
On 27 Aug 2003, Paul Vixie wrote: > ...because running blackhole lists is surprisingly more hard > than most people think. (witness the sorbs.net message here > a few hours ago complaining of 50Kpkt/day query loads.) i've Matt wasn't complaining about query loads. And 50Kpkt/day in queries is nothing anyway. He was complaining about being DDoS'd by spammers or others who just don't like dnsbls. AFAIK, SORBS, SPEWS, and Osirusoft have all been the targets of DDoS's for a few weeks. > this part, on the other hand... > > > he's put > > *.*.*.* in, he's asking people not to use it anymore. > > ...mystifies me. anyone who has read rfc1034 or rfc1035, even > if they did not also read rfc2181 or rfc2136 or rfc2308, knows > that in a zone containing the following wildcardish data: > > $ORIGIN example.vix.com. > * 1H IN A 127.0.0.1 > *.* 1H IN A 127.0.0.2 This was just a misunderstanding on the part of the previous poster. Unless he has a copy of the zone (not likely given the unreliability of Joe's DNS servers lately), he wouldn't be able to see this. I think he just wasn't familiar with how wildcards worked and assumed each * only matched one [^.]*, which is incorrect. AFAICT, what he did add was: * 24H A 127.0.0.2 24H TXT "Please stop using relays.osirusoft.com" which is much worse than just emptying the zone, removing it from the NS's, or shutting down the DNS servers. > when i deprecated the old $foo.maps.vix.com zones in favour of the their > corresponding replacements $bar.mail-abuse.org some years ago, i had the > foresight to ensure that no mail would be blocked by people who failed to > put in the configuration change. now you can all see why that was nec'y. Mail would only have been blocked if you had done something crazy like the above. Mail was delayed (and servers put under heavy load waiting for DNS queries to time out) when MAPS finally shut off free access without warning (a week or more after they originally had warned they'd do it, but gave everyone an extension when there was massive public outcry and they were unable to keep up with inquiries about buying access). -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Opinion on null0'ing entire 218.0.0.0?
On Tue, 26 Aug 2003, Mikael Abrahamsson wrote: > > Is anyone getting hundreds of thousands of spasm a day from 218.0.0.0 like I > > am? Has anyone actually considered null routing the whole block? > > > > Is there actually any 'users' in APNIC space? Or is it all spam from korea? > > Korea has one of the highest ratio of broadband connected households in > the world (if not the highest). That would explain the incredibly large number of open proxies in 218/8. Drew, I don't think you're being spammed by Koreans...at least not directly by the ones delivering the spam to you. You're more likely just being spammed via open proxies that happen to be Korean. It's your network...do what your customers will let you get away with. How many Korean customers might you have that will be pissed when they find they can't exchange email with family and friends in Korea? There's one sure way to find out. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: FW: TNT issues "workaround"
On Sat, 23 Aug 2003, Ross Chandler wrote: > > I seem to be having the same or similar problems with my Cisco boxes > > also , they either reboot or the pris hang , users get busy's but no > > one is logged in at all , when I do a show isdn status it shows b > > channels in use but no one on, the only way to fix is reboot the box , > > and it seems to be timed , everyday at 1400 and 2200 hours , since > > Monday anybody body heard of ciscos acting funny this week? > > Perhaps your fast switching route cache is filling up memory. If you're > willing to risk it enable CEF on all interfaces. Some of the older cisco access-servers don't even support CEF. The cisco failures seem to be memory starvation/fragmentation issues caused by out of control route-cache growth caused by the nachi worm's attempt to ping so many different hosts so quickly while looking for systems to spread to. You can work around the issue by: a) using policy routing to pass all dialup traffic through a route-map that sends 92 byte echo/echo-reply packets to null0. b) blocking all echo/echo-reply coming in from dial-up users (i.e. apply an input acl to your virtual-template and/or group-async interfaces). c) disabling route caching on the egress interface of the access server. I'm doing a mix of a (on the access-servers that this works on) and b where a doesn't work...and tested c this morning and found it appears to work. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Cisco OC-3c card question
On Fri, 22 Aug 2003, Stephen Milton wrote: > > What is the most cost effective equipment to use to connect two > locations with an OC-3c circuit? I currently have 7206VXR routers at > both ends, so would prefer slot cards for those if feasible. There are PA-POS-OC3 cards (IIRC 3 flavors), and you need to shop for the right kind to match up with the way your telco provider is handing the circuit to you (multimode, single-mode intermediate reach and single-mode long reach). http://www.cisco.com/en/US/products/hw/modules/ps2033/prod_brochure09186a0080091c94.html I recently needed some OC3 interfaces and went with older POSIP-OC3-50 cards (full size cards for the 7500 series) as they were much cheaper than PA-POS cards. They're basically specialized VIP2-50's with a double-wide POS adaptor. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Hijacked email
On Wed, 20 Aug 2003, Pascal Gloor wrote: > > Anyone seeing hijacked email addresses with this Sobig-F worm? I did > > some research and I know I didn't send anything to Investec Bank of > > Johannesburg,ZA. On top of that, I definitely did not send a worm. > > same here... seems the worm is not only using the adress book for targets, > but also as sources.. Is this surprising to anyone? That's the way the past few Lookout Virus Express viruses have worked. The funny thing is, on this account, I've gotten zero copies that I've noticed...just lots of mail from various lists talking about it. On my work account, I've gotten several this morning and a bunch of bounces. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Working vulnerability? (Cisco exploit)
On Fri, 18 Jul 2003, Ben Buxton wrote: > It's released and it works - I have verified it in a lab here. And others are trying it in the field now. I setup the recommended transit ACLs yesterday. Starting at 9:25am EDT this morning, those ACLs started getting hits. What doesn't make sense to me is according to the advisory, the packets have to be destined for the router to crash it (not just passed through it), but people are attacking seemingly random IPs, including ones in a new ARIN block that have not yet been assigned/used for anything. What do they think they're attacking? -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Don't call registry off the map?
On Fri, 27 Jun 2003, Patrick wrote: > Can anyone reach www.donotcall.gov? Seems to be off the map... > > I guess this is just the publics way of inviting the DMA(Direct Marketing > Association) to re-evaulate their assertions that the majority of the > populace enjoys receiving telemarketing calls... I was able to get the main page around 8am EDT...but even then it was very slow. I entered 3 phone numbers and tried to submit, but it would not accept the connection for my form post. I retried many times around 8am, and again just now, and finally got to steps two and three a few minutes before 1pm. I heard from a few people who got all the way to step three before 8am EDT, but noone had received the email yet. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: ISPs are asked to block yet another port
On 23 Jun 2003, Paul Vixie wrote: > 3) thoughtless reactionism at isp's does little good and sometimes some harm. > > take for example port-25 blocking. i've been getting relayprobed all > weekend by someone who gets around outbound at&t's tcp/25 SYN blocking > by sending their SYN's through a provider who shall remain nameless ... > so if you're going to block tcp/25 SYNs on outbound, please make sure > you block SYN/ACK's on input too, or else you just give the spammers a > little more work to do instead of a lot more work to do. We used to provide dial-up ports to a large cut-rate dial provider who I'm not going to name. Their reaction to such games was to send in their radius auth packets data filters to block both outgoing to port 25 and incoming from port 25. There's nothing silly about restricting use of tcp/25 for dial-ups and other dynamics...you just have to do it right to be 100% effective. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: IRR/RADB and BGP
On Fri, 20 Jun 2003, Andy Dills wrote: > I dunno, there are plenty of smaller ASes who have yet to be forced to > register their routes. > > We haven't yet been forced, but I finally got motivated to submit them to > altdb last night. Altdb definitely rocks. Back when I got PI space in 1998, there were definitely some backbones ignoring routes not found in the IRR. I wonder if they gave up, or people just don't notice them anymore. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Network discovery and mapping
On Sun, 22 Jun 2003, Andy Dills wrote: > That's quite a "medium-scale". > > Is there a single entity in the world that controls 1,000 networks and > 100,000 network devices? WorldCom^Hn -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: IRR/RADB and BGP
On Thu, 19 Jun 2003, Randy Bush wrote: > the providers i know who want irr registration provide their own > registry for their customers. if yours does not, there are free > registries around. Just in case they don't, or if you'd rather be provider neutral in case you switch providers or worry the current one will get bought / go under, there's altdb.net (totally free), and IIRC, ARIN has their own routing registry, which I think is free for ARIN members to use. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Spam from weird IP 118.189.136.119
On Mon, 16 Jun 2003, Frank Louwers wrote: > > > > > "Received: from [118.189.136.119] by smtp-server1.cfl.rr.com with NNFMP;" > ^ > what's the next/previous line? (The one just above it) ditto. I think you've been fooled by forged headers. Not only is that IP in a reserved block, I've never heard of the NNFMP protocol except as referenced in poorly forged headers. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: rr style scanning of non-customers
On Fri, 13 Jun 2003, Kuhtz, Christian wrote: > Some ISPs, such as RR, appear to be implementing what I personally would > consider quite aggressive approaches to guarding their network by > implementing "proactive" scanning of non-customers, similar to what's > described at > > http://security.rr.com/probing.htm <http://security.rr.com/probing.htm> > > In this case, sending email to @rr.com appears to trigger this scanning > business (mind you, this is not about the scanning their subs biz; I don't Proactive = scanning for open systems before they come to you. Reactive = scanning the IPs that connect to you to see if they're open. They spell this out very clearly on the page referenced above and say that they're doing proactive scanning of their own network and reactive scanning of the rest of the internet. Do you have any reason to believe they're not doing as they say? Is it time for the monthy nanog spam debate again already? :) Unfortunately, what they're looking for is only a small sub-set of the commonly used ports by various proxy software typically installed wide open on broadband connected systems. If they're serious about reactive scanning, they ought to either update the ports tested or just ally with one of the various dnsbls that does this sort of testing (less/more effective testing would be the result). The last time this topic came up, it was suggested by others that either trojan or virus software was installing/creating open proxies. I wrote that off as people being overly paranoid. I'm sorry to say that I now know this to be true and have seen many installations of at least one strain of such proxy software. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Black box that allows just an A or B DC feed
On Mon, 9 Jun 2003, james wrote: > > Thanks to those who indicated all I need is a relay and some diodes, > that I know ! I am more looking for black box that does this and is > NEBS approved. Courtesy of Sean Donelan when I asked about this 6-7 months ago... See http://www.enewton.com/ Part number 7570221021 FUSE PANEL,-48VDC,C-SOURCE Their site won't give you any more information about it unless you have a login (which I don't). I had our purchasing person look into this at the time, and was told they're quite expensive...so for gear with just one DC input, we've been just using one source. Right now, that's just a few pieces. Just about all our DC gear supports 2 power supplies. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Ettiquette and rules regarding Hijacked ASN's or IP space?
On Mon, 9 Jun 2003, Joe Abley wrote: > The ISP in Toronto asked for an LOA, and got one, neatly presented on > company letterhead, and accompanied by e-mail from the tech contact for > the block confirming that the request to advertise the block was > authorised. > > Is that enough justification to perform the announcement? Where exactly > should the line be drawn? Unfortunately, probably not. How do they know it was company letterhead? Had they ever seen the company's letterhead before? How do they know I didn't just create that LOA and letterhead in OpenOffice? > Maybe some service akin to a credit check is required. > >"Hello, I have a request to accept an announcement of 203.97.0.0/17 > from AS 4768." >"That request is legitimate according to our records, here is your > auth code." Trouble is, how do you/they know if both the space and ASN have been hijacked? >"Hello, my new customer with the following contact details has asked > me to originate 203.167.0.0/18 from AS 9327." >"We cannot confirm the legitimacy of that request, and the listed > contact for 203.167.0.0/18 has been informed of your request." The listed contact may not be who ARIN [or other local RIR] thinks it is. > Since the RIRs contain the information required to answer those > questions, you'd expect them (or their data) to be involved in the > process of answering them. They really don't. Thus far, when space is assigned, the RIRs have no way to later authenticate that an organization using the space is the same one that they assigned it to. As for the current state of BGP authentication/sanity checking, I can say 2 of my 4 upstreams take whatever I put in the routing registry. The other two require an email be sent requesting prefix filter updates. I was just told by one, that they'll accept whatever I request, only questioning it if someone complains to them about it. The other, I haven't asked, but I assume they work similarly. On the bright side, all of them are at least filtering. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Pesky spammers are using my mailbox
On Sat, 31 May 2003, Stephen J. Wilcox wrote: > seems some spammers are using one of my personal domains as the from > field in their emails, the local-part being random so I cant easily > block it. > > Has anyone any advice on tracking them down and making them stop? Tactical baseball bat at close range? :) I and a number of coworkers are getting similar bounces, except the spammers are actually using our full email addresses as the from address. The first few cases of this, I wrote off to things like KLEZ...but recently I've gotten actual spam bounces where my work email address was the original from. I suppose it could possibly still be something like KLEZ and it's grabbing a spam from their inbox and sending that out with a forged from. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: dnsbl's? - an informal survey
On Sat, 31 May 2003, Mr. James W. Laferriere wrote: > > White listing comes with any blacklist. The blacklists in particular > > being discussed were the @dynamics, like the PDL and dynablock at > > easynet. Both lists quite clearly state how they build their lists and > > what they are designed to block (dynablock only takes out dialup, and > > PDL takes out all dynamic addressing). > Query , How is it determined that the address in question is > dynamic or not ? Who/how/what makes that determination ? > This is the core of my concerns . It's usually determined via in-addr.arpa, whois data, or direct information from the provider. When MAPS was freely available, I used to periodically email them updates on our IP space (please add these dial ranges, please remove these others). I'm sure others did the same. AFAIK, they had at least one FTE who's job it was to maintain the DUL. Those large providers who stole copies of the DUL before MAPS pulled the plug on them, and continued to use them without maintenance still annoy me as we've run into issues multiple times with space removed from the DUL still being in their private copies. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: IANA reserved Address Space
On Fri, 30 May 2003 [EMAIL PROTECTED] wrote: > 1.0.0.0 /8 > 10.0.0.0 /8 > 100.0.0.0 /8 > > I need 3 distinct zones which is why I wanted to separate > them out. In any case, I was wondering about the > status of the 1 /8 and the 100 /8 networks. What does > it mean that they are IANA reserved? Reserved for what? > http://www.iana.org/assignments/ipv4-address-space It means (like what has happened recently with 69/8 and others) that they're not in use YET. Eventually, they will go from Reserved to RIR assigned and you will have reachability issues if your lab is ever connected to the internet. > Anyone else ever use IANA reserved address spacing for > lab networks? Is there anything special I need to know? There's an awful lot of RFC 1918 space. How about using some of it? http://69box.atlantic.net/ -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: [ifl.net #3657] Contact at: DNSRBL / Namesystems
On 27 May 2003, John R. Levine wrote: > > Despite attempts to contact DNSRBL / Namesystems I'm not receiving > > any response at all - has anyone on the list any useful contacts? > > (www.dnsrbl.com) - please reply off list. > > I know a lot of DNSBLs, and I've never heard of this one before, nor > do I know anyone who uses it. I've heard of it...can't remember why. Perhaps just that they popped up in http://www.sdsc.edu/~jeff/spam/cbc.html which I check from time to time. I haven't had the opportunity to look at their site much since it does "Evil $hit"(TM) that doesn't render in Netscape for Linux and locks up Opera for Linux. I had to use Konqueror just now to see their site. > If someone's using to block mail and you care about sending mail to > that recieipient, I'd be more inclined to call the receipient and > suggest he or she use some more competently run DNSBLs. Or just ask them to whitelist you, but it is kind of annoying that dnsrbl would list your server as a spam source, without making any evidence available on their site suggesting what caused them to form that opinion. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
69/8 revisited
I've setup a little web site with the results of my ping sweep to attempt to locate as many networks as possible with outdated bogon filters. http://69box.atlantic.net/ If you can't reach that, fix your network...or use the alternative non-69/8 hostname http://not69box.atlantic.net/ Number of IP's currently known to have 69/8 filter issues: 683 Number of /24 networks's currently known to have 69/8 filter issues: 511 Check out the site and see if you recognize any of the IPs. You can test/remove IPs if they've become reachable, or test/add IPs if they have 69/8 filter issues. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Verizon mail server on MAPS RSS list
On Thu, 27 Mar 2003, Josh Gentry wrote: > We've got customers trying to receive email from people using Verizon for > Internet acess, and we are rejecting that mail because > out013pub.verizon.net [206.46.170.44] is on the MAPS RSS list. Can't pull > up the MAPS RSS website at the moment to check why. Anyone know contact > info for Verizon for this kind of issue? MAPS RSS is a list of open relays, no? It's a pretty good guess that the above mentioned server is therefore an open relay...and it's a correct one in this case. http://www.njabl.org/cgi-bin/lookup.cgi?query=206.46.170.44 http://openrbl.org/ip/206/46/170/44.htm If you're going to use a dnsbl, anybody's dnsbl, figure out how to whitelist first (or real soon after), because this sort of thing will happen from time to time. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: how to get people to upgrade? (Re: The weak link? DNS)
On Wed, 26 Mar 2003, E.B. Dreger wrote: > CK> The way I see it, the issue isn't that there aren't enough > CK> notifications of BIND vulnerabilities. > > Perhaps. But how much is enough? Current notification levels > certainly get a fair number of admins to upgrade. The majority of those who don't keep up with security releases won't unless their systems break or you personally notify them and explain the problem to them...much like equipment with unmaintained bogon filters go unfixed until you track down the responsible parties and thwap them on the head. Short of designing some kind of time bomb (make it possible to turn it off in the config for those who simply can't upgrade and don't intend to) such that after a certain age or other trigger, the code simply refuses to run, the unmaintained systems simply aren't going to get upgraded How hard would it be to have bind do some sort of secure.bind.isc.org query at start-up or perhaps even periodically and have it log lots of warnings or refuse to run if the query comes back and tells it the local version has been deferred due to security updates? One obvious problem with this would be that certain vendors prefer to backport security fixes to older versions rather than test and release new versions...so an insecure-looking version string may actually have had fixes applied. Perhaps the query could be for a timestamp that's defined in the source with the assumption that any code older than the most recent security update must be insecure. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: 69/8 revisited
On Wed, 19 Mar 2003, Stephen Sprunk wrote: > I'm wondering if there's something special about 69/8... I can't recall > this sort of discussion for 61/8 through 68/8, at least after CIDR in the > former Class A space was initially validated. For a very interesting comparison, do groups.google.com searches for 69.0.0.0/8 and then for 61.0.0.0/8. While the first is several pages of hits saying to block 69.0.0.0/8 as a bogon, all the links for 61.0.0.0/8 seem to suggest blocking that /8 due to spam. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: 69/8 revisited
On Wed, 19 Mar 2003, Scott Granados wrote: > I've definitely noticed the steady decline in complaints in reachability. I > think though at some point it will be resolved, after all all the other > blocks got squared away it seems, or is that an incorrect assumption? I'd bet they're not all resolved...just mostly to the point that nobody cares. Does anyone have a traceroute web page from another (not 69/8) block that recently went from reserved to RIR allocated? I'd be interesting to see how many of the 69/8 unreachable IPs are unreachable from other reserved->RIR allocated blocks. By the end of the week, I expect to have a system setup (big system with lots of available bandwidth) where people can do simultaneous traceroutes from 69 and !69 IPs and see the results side by side. I've got this now on my workstation and have included a link to it in most of the filter update request messages I've sent, but I don't want all of nanog (much less /.) hitting my workstation. I also plan to put the reachability database on that system and make the unreachable IPs viewable. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: 69/8 revisited
On Wed, 19 Mar 2003, Rick Ernst wrote: > Their answer was basically that 69/8 (only) is where they are allocating from > and that "from reading NANOG, it appears that much of the problem has been > resolved." I wonder what they based that ASSumption on? The thread just sort of died...and now you've revived it. > I haven't seen any updated information that 69/8 is now working for people. > Is everyone just quiet about it, or have filters actually been updated making > this a non-issue? I've been busy with other things, so I haven't been able to spend as much time on my 69/8 reachability project as I did the first few days. I still have a list of about 700 destinations reachable from 209.208/17 but not from 69/8. That's down from about 1000 when I did the first ping sweep. I know I've personally gotten half a dozen or so networks to update their filtering. I've also had several messages apparently go ignored (1 week with no response and no filter update), two of which are US military /16's. A bunch of the remaining affected networks are in other countries where I'm afraid language is going to be a barrier. This issue will likely never be entirely resolved. Just hope your customers don't care about reaching the remaining affected networks. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: APNIC returning 223/8 to IANA
On Mon, 17 Mar 2003, Leo Bicknell wrote: > Just like the people who get 69/8 blocks should expect them to be > fully usable as well, right? Surely if one reserved /24 means you > can return space and get new space assigned then the inability to > reach some percentage of the internet is an even bigger, and more > immediate concern that should warrant the same treatment. I think all that really needs to happen here is an RFC update that unreserves 223.255.255.0/24. RFC3330 already mentioned that the basis for this reservation was no longer applicable. Someone at IANA just screwed up the order of events, as the block should have been explicitly unreserved before it was assigned. On the same note, if you do a few google/groups.google.com searches, you'll find that LOTS of people treat the networks marked as IANA-Reserved in http://www.iana.org/assignments/ipv4-address-space in much the same way as RFC1918 space, some even call them quasi-RFC1918 space. A groups.google.com search for 69.0.0.0/8 will turn up 5 pages of hits, nearly all of which are firewall/ipf/ipchains/etc. config examples recommending and demonstrating how to block, among other reserved nets, 69.0.0.0/8. I'd like to strongly encourage IANA to reexamine all current IANA-Reserved blocks, decide which ones will remain Reserved for the forseeable future, and which are likely candidates for assignment to RIRs at any future date, and update these to a more suggestive status such as Future-RIR-Assignment. Otherwise, we're going to repeat the 69/8 exercise (signifigant parts of the net ignoring the space months after assignment...some parts ignoring it likely for years) every time a net goes from being IANA-Reserved to assigned to some RIR. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: [Fwd: FC: Email a RoadRunner address, get scanned by their
I got the following personal message from Mark Herrick of rr.com (which I'm passing along with his permission/request). I hope (and I think he hopes) that by passing it along, some questions can be answered and misunderstandings explained. In an additional message, he answered my question of "how does rr.com security define 'network owner'?" with the following URL. http://security.rr.com/subdelegation.htm So as long as space is swipped or documented in a publicly accessible rwhois server, if you're a contact for the IP block, you should be accepted as the 'network owner'. BTW...for the time being, rr.com has stopped SMTP relay testing and is focusing entirely on finding and blocking mail from open proxies that have been used to spam their customers. -- Forwarded message -- Date: Sun, 16 Mar 2003 12:56:30 -0500 From: "W. Mark Herrick, Jr." <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Your NANOG post Hi Jon, I was pointed to the thread on NANOG through another person, and I saw your post on the Merit website (below). As I'm not subscribed to NANOG, and unfortunately I am prohibited (from a time resource standpoint, not administratively) from subscribing to that list at this time, but I thought that I'd comment on your post specifically, since it touched on more than one area. If you are so included, feel free to pass this along to NANOG, with my regards. So, just to set one ground rule here - we're talking about proxy and relay testing, not full-out penetration testing. With that in mind... To directly answer your first paragraph, you are absolutely correct - we have absolutely NO objection to open proxy or relay scanning of IP addresses from a system that either: 1. Has spam in hand (a la MAPS RSS). 2. Has received a direct connection from our subscriber IP address or SMTP server (a la AOL, Outblaze). That being said, we have, and will continue to have, a severe issue with so-called 'scanning services', that *proactively* scan IP addresses (e.g., DSBL), or services that accept requests from anywhere to perform 'on-demand' scans (e.g., hatcheck.org) without first requiring (and keeping on hand) proof (e.g., spam-in-hand) that the IP address is a source of spam, open to third party relay, or has an open proxy service. At no time has Road Runner performed any PROACTIVE scanning on any IP address that does not belong to Road Runner. Furthermore, we perform no REACTIVE scanning unless it meets one of the above criteria, and in addition, regardless of whether or not there has EVER been an issue with the network, we will not REACTIVELY scan ANY IP address when there is a request from the *network owner* that we do not do so. We have no wish to be abusive, and as such, we limit scans of an IP to one per week. This is all clearly explained at http://security.rr.com. You brought up another issue, which I *think* may be pointing to an argument that I had with Ron Guilmette some time ago, when his service was performing relay scans on our IP space or some such. I am fairly certain that this argument took place because I viewed Ron's scans to be proactive in nature. Our stance on proactive scanning has not changed in the 5 years that I have been with Road Runner. Anyways, as far as your last statement - since the inception of our scanning initiative (1st week in January), we have identified over 50,000 open proxy servers. The problem is big, it's only getting bigger, and it's not going to go away, unfortunately. Best, Mark Herrick Director - Operations Security Road Runner
Re: [Fwd: FC: Email a RoadRunner address, get scanned by their
On Fri, 14 Mar 2003, Jeff Kell wrote: > > Basically, RoadRunner tried to spam themselves using my server. I mailed > > [EMAIL PROTECTED] about this, and received a canned response, enclosed. > > > > Under their logic, I feel entitled to poke and prod their customers, just > > to make sure they don't spam me. Is that fair? I promise to provide an > > opt-out if anyone complains. > > Oh no, they'll bitch, at great length. This was recently discussed on > SPAM-L ( http://peach.ease.lsoft.com/scripts/wa.exe?LIST=SPAM-L ). Actually, if you go a few rounds with Mr. Herrick of rr.com, and explain that you want to do the same sort of testing under the same ground rules as security.rr.com, I think you'll find that he will not object. It is quite ironic (perhaps a sign of how bad the problem of spam on the internet has gotten) that rr.com has decided to emulate those that they have attacked in the past. I suspect we've gotten to the point now that there are more open proxies than open relays on the net, and it seems the proxies are more heavily abused. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: cw to att? issue?
On Wed, 12 Mar 2003, Scott Granados wrote: > > Is there a good plac for a listing of the publically available > route-servers? I only knew of the oregon one. http://www.traceroute.org/#Route Servers -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Question concerning authoritative bodies.
On Wed, 12 Mar 2003, Ron da Silva wrote: > Hmm...copy of centralized DNSBL + local DNSWL = local DNSBL ? I guess > the point is that centralized data is good in some sense, but utimately > mirroring, copying, editing, or selective copy of that data will be done > by operators in effect to create their own local DNSBL. So where can we get copies of the AOL DNSBL? :) I wonder how many MB the zone file is. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: 69/8...this sucks -- Centralizing filtering..
On Mon, 10 Mar 2003, Ray Bellis wrote: > Most people seem to think it would be impractical to put the root name > servers in 69.0.0.0/8 > > Why not persuade ARIN to put whois.arin.net in there instead? It > shouldn't take the people with the broken filters *too* long to figure > out why they can't do IP assignment lookups... The vast majority of broken networks won't care/notice. A few will assume ARIN's whois server is broken. How often do people on forgotten networks in China and Albania use ARIN's whois server? Take away the western Internet (all of gtld-servers.net) and they will notice the problem. >From a whois, it appears Verisign owns gtld-servers.net. Do they own just the domain or all 13 gtld-servers as well? Anyone from Verisign reading NANOG care to comment on the odds of Verisign cooperating and helping with the breaking in of new IP ranges? Also, on a side rant hereWhy do all the RIR's have to give out whois data in different, incompatible, referal-breaking formats? The next step in my work once my ping sweep is complete (looks like that'll be today) is going to be to take a list of what looks like it'll be ~1000 IPs and generate a list of the unique networks that are broken. To do this, it'd be nice if there were some key I could get from whois, store in a column, select a unique set from, then reuse to lookup POCs from whois, and send off the emails. registro.br and LACNIC entries start with inetnum: using what I'll call brief CIDR, i.e. inetnum: 200.198.128/19 APNIC and RIPE entries start with inetnum:, but use range format. i.e. inetnum: 203.145.160.0 - 203.145.191.255 ARIN entries include fields like NetRange: 128.63.0.0 - 128.63.255.255 CIDR: 128.63.0.0/16 The APNIC and RIPE NetRange/inetnum fields are easy enough to deal with, but send a whois request for 200.198.128/19 to whois.arin.net and you get "No match found". Send it as 200.198.128, and whois.arin.net will refer you to whois.lacnic.net. Send it to whois.lacnic.net as 200.198.128, and you get "Invalid IP or CIDR block". I realize programming around all this is by no means an insurmountable task, but it is a pain. It'd be ideal if there were a unique key field, say Net-ID included in the whois output from all the RIR whois servers that could be used to identify the network and the appropriate whois server. i.e. NetID: [EMAIL PROTECTED] -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: scope of the 69/8 problem
On Tue, 11 Mar 2003, Stephen Sprunk wrote: > Come on, you're asking the root and/or TLD operators to renumber their > servers -- not a trivial task -- every few months to intentionally disable > their own service for what amounts to an academic experience. Not for academic experience, but to encourage people to fix their broken filters. And while renumbering a large network might be non-trivial, changing the IP or adding an IP alias on 13 individual servers should be a trivial operation. > These folks are in the business of running a critical system that requires > 100% uptime for hundreds of millions of users, and they do a damned good > job. Let them do it in peace, and find some other "must have" service (like > porn) to put in 69/8. 100% uptime for the service, not for each individual server. So now the 69/8 holders, in addition to driving a campaign to get others to fix their networks, should offer free hosting to porn sites? How about free hosting for spamvertized sites?...oh wait, that might make the problem worse :) -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Question concerning authoritative bodies.
On Tue, 11 Mar 2003, Ron da Silva wrote: > Hmm...I would argue that every operator needs to run their own DNSBL. Can you elaborate on why? IMO, there are definite benefits to centralized, shared DNSBLs, especially if testing is involved. Many can benefit from the work done by a few and not have to duplicate the work. If you only DNSBL IPs after you receive spam from them, you have to get spammed by every IP before it's blocked. Why not reject mail from IPs that have spammed others before they spam you and your customers? Though I have problems with the way it's been run, I think that's the idea behind bl.spamcop.net. If they could just restrict nominations to a more clueful group of users, such a system could be very effective for blocking spam everywhere as soon as one system gets hit. For spam from open relays and proxies, a centralized DNSBL that tests the IPs that talk to servers using it can be just as, if not more, effective. > It would be very difficult to convince any operator to give up control > of defining their own DNSBL (or even not having one at all). You can use a central DNSBL without giving up total control. Shortly after I configured servers to use a DNSBL for the first time, I recognized the need for a local DNSWL and have continued to use one ever since. When I setup other people's servers to use DNSBLs, I help them setup a DNSWL and explain how to maintain it. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Move all 9-1-1 to 8-5-5
On Tue, 11 Mar 2003, Mark Segal wrote: > Yes.. But most people don't run translations for all NPA-NXXs on their 4 > line PBX And your misconfigured PBX won't likely stop me from calling you...just you from calling me. Bad bogon filters stop or prevent traffic in both directions. If anyone has a better idea for shifting the burden to and thus creating motivation for those with broken filters to fix them now, by all means, share your idea. If you don't have a better idea yet, go ask ARIN for some space. They have lots of 69/8 left. Maybe when you're in the club, you'll be more motivated to think of ways to quickly encourage others to fix their networks. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _____ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: 69/8...this sucks
On Mon, 10 Mar 2003, Frank Scalzo wrote: > We don't need the adminstrative headache of ICANN/ARIN/RIRs on this. > Someone could just do it with a private ASN and advertise the route with > an arbitrarily null routed next-hop. That's a non-solution that will never happen. How many networks are going to trust joe somebody to inject null routes into their backbone? Will UUNet/Sprint/C&W/Level3/etc. trust me or Rob to tell them what's a bogon and what's not? I really doubt it. They might have an easier time trusting their local RIR, but I wouldn't be surprised if they didn't. I realize this sort of thing worked early on with the RBL, but that was for a different purpose. For those who took the RBL via BGP, I suspect the benefit of blocking spammers from their networks outweighed the risk of RBL abuse and people trusted Vixie to be objective and honest. > That doesn't solve the problem of bad filters on firewalls. Several people pointed that out earlier. Botched / outdated firewall configs may be a bigger problem than BGP filters. For a glimpse at why, see http://groups.google.com/groups?q=69.0.0.0%2F8&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search > The problem is lots of books/webpages/templates/etc. say filter bogons. > People not smart enough to understand the responsibilities of doing so > implement it and forget it. Instead of trying to beat up on the large Worse is that there are pages and pages full of links to usenet posts with these outdated bogon filters. Books and web pages can be updated. The usenet archive isn't going away and won't be revised. People who don't know any better are going to continue to misconfigure bogon filters indefinitely unless something is done to periodically whack some sense into them. > Funny the media gets all excited about BGP security and dDos attacks > against a root nameserver yet no one ever seems to mention the real > scalability issues like that we can't allocate large parts of the net > because many network operators aren't bright enough to update filters. I know some writers watch nanog for potential stories. Wake up guys, this should be one...if not for the news value "ARIN gives out unusable IPs, future of the Net in question", then at least for the public service value of getting the word out that bogon filters need to be maintained and kept up to date or they do more harm than good. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_