Re: Dell power connect switches.

2004-05-20 Thread jlewis

On Thu, 20 May 2004, Joel Perez wrote:

> We are planning to deploy several Dell PowerConnect 3324, 3348 and 6024
> switches on our network.

I don't know how related they are (if at all), but we were suckered into
buying several Dell PowerConnect 3248's some time ago.  We have a serious
issue with them in that the telnet CLI tends to cease properly accepting
connections after a while...making them effectively dumb unmanaged L2
switches.  If anyone's aware of a fix for this (other than serial
consoles), I'd love to hear it.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: Barracuda Networks Spam Firewall

2004-05-17 Thread jlewis

On Mon, 17 May 2004, Jared B. Reimer wrote:

> >We had this problem when our inbound-smtp server ( the server the
> >barracuda is dumping mail to) was accepting all RCPT TOs:   As a result
> >dictionary attacks were getting through and creating 'unique recipients'
> >on the Barracuda.   As soon as I fixed my mail server to reject with a 220
> >error on bogus RCPT TOs  the problem cleared up.
>
> This is a pretty serious flaw IMHO, if it is (in fact) true.  qmail isn't
> the only mailer that behaves this way.  It looks like they may have tried
> to kludge their way around this with LDAP in the case of MS Exchange, which
> also does asynchronous bouncing of undeliverable mail IIRC.

The fault here is with qmail.  The barracuda was doing exactly what it was
designed to do.  qmail can be patched to be smarter (google for qmail
spamcontrol or magic smtpd).  Accept all, then try to bounce, is a recipe
for disaster with today's dictionary attackers and virii that will send to
randomly created destinations from randomly created forged froms.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: route-views.oregon-ix.net

2004-05-10 Thread jlewis

On Mon, 10 May 2004, Peter Rohrman wrote:

> Is route-views.oregon-ix.net down?  I cant get to it.

I noticed the same thing earlier today and intermittently last week.
I still can't get to it (telnet or ping).

Traceroute ends with:

11  unknown.Level3.net (63.211.200.246)  77.438 ms  87.132 ms  82.573 ms
12  ptck-core2-gw.nero.net (207.98.64.138)  77.529 ms  78.278 ms  79.683 ms
13  eugn-core2-gw.nero.net (207.98.64.1)  81.284 ms  80.455 ms  80.721 ms
14  * * *

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: "Network Card Theft Causes Internet Outage"

2004-05-04 Thread jlewis

On Tue, 4 May 2004, Andy Dills wrote:

> http://www.eweek.com/article2/0,1759,1583347,00.asp
>
> "Law enforcement officials said four DS-3 cards were reported missing from
> a Manhattan co-location facility owned by Verizon Communications Inc. The
> theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is

Is this part really surprising to anyone who's got gear in unsupervised
LEC colos where everyone is in open relay racks in a large open space?

> being investigated by New York City Police and members of the joint
> terrorism task force, according to NYPD spokesman Lt. Brian Burke. "

This seems a bit over the top.  A couple years ago when we had a part
stolen out of one of our routers in a WCOM colo facility, we couldn't get
the local PD to do jack.  A report was filed...but I think they filed it
in the circular file, because nobody ever investigated, despite the fact
that WCOM had just installed a card reader system to replace the simplex
door locks, so in theory, they knew who was in the room when our stuff was
stolen, but they refused to release the info to us.

I guess we should have suggested it was an act of terrorism.

> Trying to fix our terrorism problem like this is like trying to fix the
> spam problem using IP-based blacklists.

No...I'd say it's more like fighting the spam problem with nuclear
weapons...now there's an idea.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?

2004-04-26 Thread jlewis

On Mon, 26 Apr 2004, Rodney Dunn wrote:

> That's the most common deployment mistake I
> see made with the 75xx nowadays.  People want
> to move to dCEF to get added feature capability
> or either run a new feature that requires dCEF and they
> don't consider the extra load on the VIP CPU's that
> is required.

Does dCEF use much more CPU on the VIPs or just memory (to store the
fowarwarding table on the VIP)?  My experience has been that a 7500 with
RSP4's and VIP2-50's (with dCEF) will handle much more packet forwarding
than a 7206VXR NPE300...but with full BGP routes, you need at least 64mb
(preferably 128mb) on the VIPs or you can't use dCEF.  Not using dCEF
largely defeats the purpose of using a 7500, doesn't it?

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?

2004-04-26 Thread jlewis

On Mon, 26 Apr 2004, Michel Py wrote:

>
> > "Alexander Hagen"
> > What about a 7505 w/ RSP4/256 and 2 VIP 2-50/128s with 4 PA-FE-TXs.
>
> I would get a 7507 w/redundant RSPs and redundant PS.

You'd get a 7507 (only if it were a choice between that or a 7505?), but
then at the end of your message, you say you wouldn't buy any 7500?

> >> What is better about the 7206 VXR ?
> > Fewer software bugs,
>
> Not in my experience.

A couple 'advantages' to the 7206 are much smaller size & mass.  The 7206
is single person portable.  The 7507 and 7513 are very much larger and
much more massive.  You'll never see someone running down the street away
from your data center with a 7507 under their arm.

> The part I missed earlier is that I think Alexander needs to buy the
> platform. As of today I can not recommend buying any 7500 as even the
> 7507 and the 7513 are going to EOL sooner or later. If you can't afford
> a 7603, then the 7206VXR with NPE400G and a gigabit trunk to a 3550 is
> what I would do.

A basic 7507 (dual PS, dual RSP4, couple of VIPs and PAs) is so cheap
today, if he's strapped for cash, that's what I'd go for.  I'm guessing
you can still get at least several years out of such a box, and by the
time you've outgrown it or cisco stops making IOS for it (they still make
IOS for AS5200's!), hopefully you'll have the cashflow to upgrade.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: Anyone from AT&T here? (AT&T bogus DNSBL answers)

2004-04-17 Thread jlewis

Steve Linford wrote:

> AT&T customers have contacted us saying they can't reach any of our
> DNSBLs, seems AT&T have defined a fake sbl.spamhaus.org zone in their
> DNS servers so when AT&T customers ask AT&T's NS 12.149.189.2 for
> sbl.spamhaus.org they get:
> ...

I was looking at this some more last night, and noticed this appears to
have been some kind of mistaken identity issue.  Check the whois and
PTR for 12.149.189.2.  It certainly doesn't appear to be an AT&T
maintained DNS server.

If there really are/were AT&T customers who couldn't resolve the various
popular DNSBLs, I wonder, was the issue caused by something else?  Are
they setup to query the wrong DNS servers...perhaps 12.149.189.2 used to
be an AT&T DNS server before 2001-09-05, but since then, it's been an AT&T
customer's machine.  Maybe that customer is getting hammered with queries
from old AT&T customers and is trying to encourage them to go elsewhere
for DNS service.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: SORBS Insanity

2004-04-15 Thread jlewis

On Thu, 15 Apr 2004, Joe Maimon wrote:

> Speaking about whitelistingcomp.mail.sendmail google
> link...Reproduced below..
>
> http://groups.google.com/groups?q=sendmail+whitelist+dns&hl=en&lr=&ie=UTF-8&oe=UTF-8&c2coff=1&selm=ac4e9990.0311250514.65c4e614%40posting.google.com&rnum=9

ok...you've now drifted way off-topic for NANOG IMO.  This belongs in
spam-tools or spam-l.

> I was wondering if any of you use *dns* lists for whitelisting purposes.

Yes...for several years.

> I have found a couple of whitelists online (bondedsenders) and their
> m4 was far from satisfactory.

Why?  I came up with essentially the same rules (modified dnsbl.m4 to
support DNSWLs) as them back in 2001 and have been using it ever since at
multiple sites with privately maintained DNSWLs.  For that usage, it works
fine.  If you want to use it with someone else's DNSWL and they have
different 127.x.y.z return codes for different whitelisting reasons, sure,
it's too primitive, and you'll likely need to modify enhdnsbl.m4 to make
your own enhdnswl.m4, or do something similar.  Why the sendmail folks
have chosen to support DNSBLs but not DNSWLs, is still a mystery to
me...but this has little to do with network operations.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: SORBS Insanity

2004-04-14 Thread jlewis

On Wed, 14 Apr 2004, Jeremy Kister wrote:

> telling them they were mistaken.  Finding no documentation on how they
> deem networks "dynamic" or "static" I changed my rDNS scheme from
> ppp-64-115-x-x to 64-115-x-x Note to all: "ppp" in no way signifies
> dial-up; we run ppp over almost every circuit we have -- from dialup to
> OC12, to Ethernet and ATM.

I think you'll find it's pretty commonly assumed (not just by certain
DNSBLs) that "script generated" DNS is dynamic.  Prepending it with ppp-
makes the assumption seem to be even more of a slam dunk.  Just to pick an
example, dummy-smtpd assumes that any host that matches
/\d{1,3}.\d{1,3}.\d{1,3}/ is "dynamic host with with script-generated rDNS
name".  I think the feeling is, "if you care enough about the system that
it should be a legitimate mail server, it ought to have 'unique' rDNS."
rDNS matching what it HELO's as is nice too.

> I also stated how all of our network was scanned twice a day for open-relay
> mail servers.  Being a bigish ISP, we are _huge_ on our abuse policies, and
> our abuse bucket [usually] has only memories of tumbleweed blowing by.

Irrelevant.  Unless you're doing full port scans, you're not going to find
the open proxies.  Open relays are old school for spamming.  Open and
stealth proxies are the current methods.  Are you looking for HTTP Connect
proxies on 65506, 6588, 48669, etc.?  How about the socks5 proxy on
64.115.63.248:35762, which BTW is
static-64-115-63-248.isp.broadviewnet.net.

>  2.  that to prevent further hysteria, I had changed the reverse dns from
>   ppp-64-115-x-x to static-64-115-x-x and dynamic-64-115-x-x,
>   respectively.

That's better than the original.  Would you really expect people in
today's spam overrun climate to accept email from a system identified as
ppp-64-115-x-x.isp.broadviewnet.net?  I don't know about you, but that
just screams dialup to me.  64-115-x-x.isp.broadviewnet.net isn't much
better.

>  3.  their blindness was very unprofessional, deeming SORBS a Worthless
>   Project ran by Ignorant Half-Wits

Your thinking that won't change the minds of thousands of systems blocking
millions of spams with their list.

> As of this date I have not received a response from anyone at sorbs, and do
> not expect one.   Our support crew is overwhelmed with upset customers who
> cant send email to their associates.  Our only response to them is that we
> have tried to resolve the issue, but could not, and that the remote ISP
> should stop using sorbs.

Did it occur to you to setup reverse DNS to match forward DNS?  Are these
customers running DNS that says "our MX records are
64-115-x-x.isp.broadviewnet.net and 64-115-x-y.isp.broadviewnet.net"?  I
really doubt it.  Having them smarthost their mail through your server
(it's not 64-115-x-x.isp.broadviewnet.net too, is it?) would also be a
no-brainer immediate solution until you can work things out with SORBS.

------
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: Lazy network operators

2004-04-10 Thread jlewis

On Sat, 10 Apr 2004, Chris Boyd wrote:

> Please note that we no longer accept any network abuse reports at this
> address. Any reports must be submitted by using the following web form:
> http://www.ntlworld.com/netreport
>
> Any reports sent to this email address will not be read and will be
> automatically deleted.

I can guess their reasoning for this is they're tired of bogus complaints
(from address on spam/virus was forged to look like it came from them) or
complaints lacking the necessary detail to take any action...but the way
they've implemented their forms is not going to win them any fans.

You have to click through multiple layers of forms before you can actually
put in any details.  None of the reason options are SPAM.  And on my first
try, their site caused Mozilla to crash.

Also, I doubt this was a decision made by the "network operators", but
rather by the abuse department or more likely, whoever oversees it,
perhaps figuring that by having the web form CGI neatly categorize all
complaints, they can get by with less staff (or clue) handling abuse.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


RE: MLPPP Follow Up - How we fixed the problem

2004-04-01 Thread jlewis

On Thu, 1 Apr 2004, Paul Stewart wrote:

> Any issues with more than 2 connections?  We have a customer that we are
> doing this for right now with two T1's.. Customer wants a third one
> possibly.. Can't see a problem but thought I'd ask...
>
> How many could you theoretically do if you really had to? ;)

AFAIK, depending on IOS version, the max-paths you can load balance with
CEF is 6 or 8.  i.e. In some older versions, it is 6, and I've had to do
upgrades to get 8 T1's to load share.

Most instances of this that I've done have been on our own network where
we use OSPF on the T1's and set maximum-paths in router ospf.  I have
seen/done 4xT1 service load balanced to customers using static routes.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: MLPPP Follow Up - How we fixed the problem

2004-03-31 Thread jlewis

On Wed, 31 Mar 2004, Mark E. Mallett wrote:

> > ip route X.X.X.X 255.255.255.252 Serial1/0/0/13:0
> > ip route X.X.X.X 255.255.255.252 Serial2/1/0/14:0
> >
> >
> > The only problem that we ran into was that we had to use the Serial designator
> > of the interface in our route statement otherwise it will not work (or
> > at least it did not for us).
>
> FWIW I have also observed that it is necessary to specify the
> interface when doing per-packet load balancing across multiple PVCs,
> e.g. as when doing load balancing across multiple DSL circuits.  I

I've done lots of this (with clear T1's, no frame or DSL), and never run
into that issue on 3640, 7206, 7500 series routers.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: DSL and/or Routing Problems

2004-03-30 Thread jlewis

On Tue, 30 Mar 2004, Stewart, William C (Bill), RTSLS wrote:

> > ping did _this_
> Ping is not very informative or accurate.
> If you run a traceroute, which is also not very accurate,

Get the best of both tools and use mtr (assuming unix-like platform).
There are similar tools for windows (pingplotter?).

This thread reminds me of my own DSL, which rides the ILEC's network and
is handed off to $work at the CO as an ATM PVC.  For years, my DSL service
has osciliated from fine (20-30ms ping times) to not good (200-300ms)  to
unusable (>=1000ms ping times).  It seems to work fine for months, then
get bad to really bad for days or weeks at a time.  I've replaced CPE
several times, and even keep 2 totally different brand/model routers at
the house, just in case (so when I call the DSG, I can say "yes, not only
have I power cycled it, I've replaced the router").  I've spent
considerable time on the phone with the ILEC.  Most calls, they claim
there's nothing wrong.  A few times, they've admitted it's a known problem
with the "lt card", not that that means much to me, and resetting it often
makes things better.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: Broadwing opinions

2004-03-24 Thread jlewis

On Wed, 24 Mar 2004, Steve Francis wrote:

> Anyone care to share opinions on broadwing as an upstream?
> Responsiveness/cluefulness of noc and how well they manage their
> infrastructure (in terms of good change management, etc.) would be good
> to know.

With or without your own PI (or some other provider's PA) IPs?  It's
getting to the point where it's not possible to use any large provider's
PA space and not be affected by one of several DNSBLs that use "collateral
damage" as a motivator for change...not that it seems to work terribly
well against the largest providers.

http://www.spamhaus.org/SBL/listings.lasso?isp=broadwing.com

The system this message is being sent from uses broadwing.com as one of 4
transit providers and has recently run into issues sending email to sites
using either spews or fiveten as each of the (different providers) PA IP
blocks in use are listed in one or both of these DNSBLs as well as
additional less known DNSBLs.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: Personal Co-location Registry

2004-03-18 Thread jlewis

On Thu, 18 Mar 2004, Mr. James W. Laferriere wrote:

>   Tyan (& another I can't remember now) have console forwarding to
>   the com1 port .  This MB is available in PenguinComputing's 1u &
>   2u systems .  They run *BSD just fine as well .  Hth ,  JimL

Many of Intel's server boards support this (or at least did as of several
years ago).  I had some issues getting Linux to play nice with that
feature turned on.  I never had one of them sitting around long to figure
out the issues before putting them in service (with console redirection
turned off).  This was the T440BX/NL440BX board, which is kind of dated
now.

If you have some old Cacheflow boxes sitting around, they probably
have this board in them.  I don't know if they've done anything to them
that would cause problems using it in something other than the cacheflow.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: Packet Kiddies Invade NANOG

2004-03-16 Thread jlewis

On Tue, 16 Mar 2004, Alexei Roudnev wrote:

> Hmm, if someone (except masochists and security vendiors)  still hosts
> efnet... I can only send them my condoleences.
>
> I saw sthe same dialogs 6 years ago. Nothing changes.

What about undernet?  A customer wants us to help him setup an undernet
IRC server.  My gut feeling is, hosting IRC servers (especially on the
well known networks) is like wearing a "kick me/flood me" sign on your
network, and it's probably not going to be worth the pain & pages.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)

2004-03-15 Thread jlewis

On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote:

> Maybe NANOG needs to implement a system where you have to log
> in to a web page with your NANOG meeting passcode in order to
> get a usable IP address. Then, when an infected computer shows
> up we will know exactly whose it was. Might even be interesting
> for a researcher to interview every infected party and figure
> out why it is happening even among a supposedly clueful group.

I find it ironic that one of the presentations at the last nanog was about
a system kind of like that:
http://www.nanog.org/mtg-0402/gauthier.html
and that we had some luser on the nanog30 wireless network infected by SQL
slammer.

Does anyone know who that was, how/if they were located and removed from
the network, and whether they brought an infected PC (either via stupidity
or as a joke) or simply brought an unpatched system out from behind their
firewall/packet filters and got infected before they got a chance to
actually use the network?

After that incident, I sniffed the wireless for a little while and noticed
slammer is alive and well out on the internet and still trying to infect
the rest of the internet.

We're still blocking it at our transit borders.  The one time it was
removed (accidentally), a colo customer was infected very shortly after
the filter's protection was lost.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: who offers cheap (personal) 1U colo?

2004-03-14 Thread jlewis

On Sun, 14 Mar 2004, Christopher L. Morrow wrote:

> There are several blacklists that clearly want more from the ISP than an
> explanation that the offendors are being/were removed... one good example
> is 'spews'.

What do you think spews wants?  My experience with them has been that
that's pretty much the only thing that will satisfy them.  I have had
customer IPs in spews, and got them removed.  "I've" also been collateral
damage (at a consulting client's site), which sucks, but that's the stick
spews wields.  In most cases, that's encouragement enough for a provider
to clean up their network or keep it from becoming a mess.  Sometimes it's
not.

> As was pointed out to me by a co-worker: "Linux is not anymore inherently
> secure than anyother OS." The difference really comes in the
> administration of the pee cee. So, would upgrading joe-random-user to
> Linux really make things better for them? (or us?) That is not clear at
> all at this point.

That's an argument for another list...but the short answer is no, giving
JRU who knows nothing about Linux a default install, especially a popular
one, say Red Hat, is not much, if any, better.  They won't maintain it.
It will be hacked.  At least it probably won't be done with and then
participate in email viruses.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


Re: who offers cheap (personal) 1U colo?

2004-03-14 Thread jlewis

On Sun, 14 Mar 2004, Bohdan Tashchuk wrote:

> Question: Why can't a provider sell virtual PC colocation, instead of
> physical PC colocation?

Several do.  We nearly bought a failing one that was doing alot of this
with a commercial Linux virtualization product.

> So instead of 40 physical machines per rack, why can't it be 80 or 160
> or even more virtual machines, running on 40 physical Linux boxes? I
> think the economics could shift significantly under those circumstances.

During the short time we managed their network and systems, I had to poke
around on a couple of the virtual machines to fix customer issues.  I
don't remember how many virtual machines they ran per physical machine,
but IIRC, they were all P4's with several GB of RAM.  Each customer got
root and their own IPs on what appeared to them to be a dedicated server.

IIRC, Paul was suggesting part of the value in the $50/month colo deal was
that customers were motivated to be good else you keep their server or
ebay it.  You lose that with the virtual private server model...but does
anyone actually have in their contract/AUP that AUP violators will forfeit
their hardware?  We've kicked some spammer colo customers where I'd love
to have had such a clause.  I only know of one case where we did
that...and it was for non-payment.  The customer's hardware was worth less
than their balance, so they chose to simply write us off.  Being located
in another country, it wasn't worth the effort to try extracting $ from
them.


--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


RE: who offers cheap (personal) 1U colo?

2004-03-13 Thread jlewis

On Sat, 13 Mar 2004, Michel Py wrote:

> 
> $50 is a lot of money; I currently send email from my aDSL address
> because a) my ISP's smarthost sucks  b) historically their SMTP hosts
> have been blacklisted more than mine c) even if they did not suck (which
> has improved a lot recently, actually) they still won't accept large
> attachments or mailing-list traffic.
> I pay $36/mo for my aDSL. $50 _more_ sounds a lot.
> 

I checked with our hosting dept. and we won't sell 1U traffic policed colo
quite that cheap.  Close to it, but not $50/month.  And I agree, for most
people spending an extra $50/month just to be able to send email (though I
imagine they'd also do some personal web hosting and maybe other things as
long as the machine was there), not to mention the expense of buying a 1U
server and having to maintain it remotely isn't going to fly.  You'd have
to be a pretty hard core netgeek and have the disposible income ($600/year
+ the server...I can think of lots of better ways to spend that) to
consider that a good solution...at which point why not just pay a bit
extra to your ISP (or another ISP) and get a static IP with reverse DNS,
which I would think would get you excluded from most reasonable DNSBLs.

For most people it'd probably make much more sense to find a provider that
offers some form of SMTP relay service.  It'd probably be cheaper/month,
and they wouldn't have the trouble and expense of providing/maintaining
a colo server.

> Besides, although this list is definitely the right place to find people
> that would operate a personal SMTP relay in a colo just by the virtue
> that it's the geeky thing to do, what does it change in the big scheme

I'd imagine you could even find a few friends and share the cost/utility
of the server such that it only cost each person a few dollars/month...but
then someone's got to pay the bills, collect money, harass the people who
don't pay their share, etc.

> of things? All these small business customers (20 persons) that I have
> that use a sub-$100 "business" DSL and M$ Small Business Server +
> Exchange are not going to go for it, because the cost then will suddenly
> become $50 plus the 1U server plus my time plus maintaining it.

What if the cost were only $10/month and they didn't have to maintain
anything other than a set of usernames/passwds (SMTP Auth) or perhaps a
list of their own IPs (relaying based on IP)?

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_


RE: Proposal: De-boganising New Address Blocks

2004-02-24 Thread jlewis

On Tue, 24 Feb 2004, Michel Py wrote:

> Good idea, no contest. Now, the devil's advocate asks: what makes you
> think that operators/ISPs are going to react faster to your pilot stuff
> being bogonized than they would to real traffic being bogonized, as if
> it's a pilot project it's by definition not urgent and can wait
> tomorrow?
> 
> Although I salute the effort, I am concerned that this will not change
> current reactive behavior which is to wait for the shit to hit the fan
> to update bogon lists. Might sound sad, but I think the way to

Assuming the pilot program does some form of reachability testing and then 
some effort is made to notify those with bad filters (good luck), then at 
least this notifies them before it's a real inconvenience for anyone.  
They may or may not choose to react, but at least this puts them on notice 
that they have a problem that will be real in the near future.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Anti-spam System Idea

2004-02-15 Thread jlewis

On Sun, 15 Feb 2004 [EMAIL PROTECTED] wrote:

> If we advertise the DHCP pools for AS1312 in a DUL, we solve the problem for
> those sites that use the DUL we list them in.
> 
> If we block outbound port 25 SYN packets from origin addresses in the DHCP
> address blocks, we solve the problem for everybody.

No...you just speed up the migration (which has already begun) to spam
proxies that use the local ISP's mail servers as smart hosts.  Then you
have to come up with a way to rate-limit customer outbound SMTP traffic.

BTW...who brought SARS (or more likely just flu) to nanog30?  I drove (so 
I didn't catch it on the plane) and symptoms (sore throat, congestion, 
very high fever) started thursday.  I've spent most of the weekend in bed 
waiting to die.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



RE: Anti-spam System Idea

2004-02-14 Thread jlewis

On Sat, 14 Feb 2004, Tim Thorpe wrote:

> If these exist then why are we still having problems? 

Because the spammers are creating proxies faster than any of the anti-spam
people can find them.  Evidence suggests, at least on the order of 10,000
new spam proxies are created and used every day by spackers 
(spammer/hackers).

The relative insecurity of windows and ignorance of the average internet 
user has created an incredibly target rich environment for the spackers.
 
> Why do we let customers who have been infected flood the networks with
> traffic as they do? Should they not also be responsible for the security
> of their computers? Do we not do enough to educate?

Economics, and convenience outweighing security.  We're big, and slow to 
change.  They're small and mobile.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Anti-spam System Idea

2004-02-14 Thread jlewis

On Sat, 14 Feb 2004, Tim Thorpe wrote:

> 95% of spam comes through relays and its headers are forged tracking an
> E-mail back that you've received is becoming next to impossible, its also
> very time consuming and why waste your time on scumbags?

s/relays/proxies/
The proxies are tough to find since they can run on any port.  Some of 
them even pick random ports, then "phone home" to tell the spammer which 
IP/port was just created as one of their open proxies.

> my idea;
> a DC network that actively scans for active relays and tests them, it
> compiles a list on a daily basis of compromised IP addresses (or even
> addresses that are willingly allowing the relay) making this list freely
> available to ISPs via a secure and tracked site.

You're a few years late.  See http://dsbl.org.  For a non-DC version, see 
http://njabl.org.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: SMTP relaying policies for Commercial ISP customers...?

2004-02-13 Thread jlewis

On Fri, 13 Feb 2004, Leo Vegoda wrote:

> > Yes, that is a little bit stickier of an issue, IFF your goal is to
> > somehow continue to provide the would-be spammer with the ability to send
> > traffic to the net, provided it doesn't transit your mail server. I feel
> > that you're overlooking the simple solution. Blocking the entire account
> > so they can't access anything is the proper response to a spamming
> > incident.
> 
> If you block the entire account then the user can't use the account
> to download the updates your Abuse Team will responsibly want to
> point him/her at. If you want to lose the customer then that's your
> business. If you want to keep the customer, helping them fix their
> mistakes is probably a painful and thankless task - but important
> and useful to the whole Internet community.

What about http://www.nanog.org/mtg-0402/gauthier.html

After seeing that presentation, I wondered if an ISP could get away with 
something similar.  Eric has the advantage of being the monopoly service 
provider for the dorms.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Interesting BIND error

2004-02-12 Thread jlewis

On Thu, 12 Feb 2004, Chris Adams wrote:

> Once upon a time, Brian Wallingford <[EMAIL PROTECTED]> said:
> > We've been seeing the following on all of our (9.2.1) authoritative
> > nameservers since approximately 10am today.  Googling has turned up
> > nothing;  I'm currently trying to glean some useful netflow data.  Just
> > wondering if this is local, or if others have suddenly seen the same.
> 
> I'm seeing them too (also BIND 9.2.1).  They seem to come in bunches.
> It looks like they started at a little after 5am (CST) today.

They started yesterday evening here but we're only seeing it on some of 
the name servers.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?

2004-02-09 Thread jlewis

On Sun, 8 Feb 2004, Alexander Hagen wrote:

> Now why is the CX-FEIP-2TX so much cheaper than the PA-2FE-TX ?

I can't say why cisco charges so much for the PA-2FE, but the CX-FEIP-2TX
is cheap because it's ancient (EOL'd some time ago) and probably not
capable of running both ports at line-rate anyway.  Don't buy them unless
you're hooking up very low traffic LANs.  Your best bet is PA-FE's and
enough VIP2-50's for the number of PA-FE's you need.

Also, watch out for PA-2FEISL-TX's.  They're also not capable of handling 
both interfaces at line-rate.  That's why they're available for just a few 
hundred $.

http://www.cisco.com/warp/public/cc/pd/ifaa/ifpz/prodlit/969_pp.htm
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: other virus damages/costs.....(hello skynet.be ?)

2004-02-02 Thread jlewis

On Mon, 2 Feb 2004, Mike Tancsa wrote:

> Looking at my disk stats, my mail storage spool has grown by 15% in the 
> past week not due the deluge of viruses which I can block and reject, but 
> in large part to those idiotic "Hi, I am sorry in a happy idiotic way to 
> inform you that the message you sent has a virus" messages  As almost 
> all of them forge their email address, what is the point of warning the 
> "sender."  Even better, I wake up this am to 285 (and growing) messages 
> below telling me that someone at skynet is trying to send me a virus 
> message and it cc's 64 other people.  Nice.

Enough people are sufficiently annoyed by antivirus 
notifications/advertisements that they're starting to ask for DNSBLs of 
systems that send them.  I suspect before long, there will be some.

But this really doesn't seem to be NANOG material.  Try spam-l or 
spamtools.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




Re: Did Wanadoo, French ISP, block access to SCO?

2004-02-01 Thread jlewis

On Sun, 1 Feb 2004, Sean Donelan wrote:

> EWeek is reporting an anonymous source that Wanadoo, a major French ISP,
> has stopped all traffic to SCO's web site?
> 
> Is this true?  Have any other ISPs taken similar action?

Can you block access to something that doesn't exist?

; <<>> DiG 9.2.2-P3 <<>> www.sco.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10008
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 
;; QUESTION SECTION:
;www.sco.com.   IN  A
 
;; AUTHORITY SECTION:
sco.com.1582IN  SOA ns.calderasystems.com. 
hostmaster.caldera.com. 2004020103 3600 900 604800 1800
 
sco.com still has an A record, but it seems filtered.  I can't 
ping / traceroute / tcp/80 it.

Their MX is still reachable (ping / tcp/25 at least).

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



RE: CIsco 7206VXR w/NPE-G1 Question

2004-01-30 Thread jlewis

On Fri, 30 Jan 2004, Michel Py wrote:

> That would be where the NPE-G1 would be better than an RSP8; however

Isn't it somewhat wrong to compare the NPE-G1 to any RSP since most of the 
packets, most of the time, are handled by the processors on the VIPs and 
never bother the RSP other than flowing through its SRAM?  Or at least a 
comparison should be NPE-G1 vs some combination of RSP and VIPs.  

If you take a 7500 as far as you can (RSP16, VIP6-80s), then how does it 
compare to a 7206VXR/NPE-G1?

Cisco plainly admits that the GEIP tops out at around 400mbit/s, but it's 
based on the rather old VIP2-50.  Anyone know if they plan to put out a 
more capable GEIP, perhaps based on the VIP6-80, which theoretically would 
double the GEIP's throughput?

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: New IPv4 Allocation to ARIN

2004-01-18 Thread jlewis

On Sun, 18 Jan 2004, Petri Helenius wrote:

> >It's those dang Nachi-sized ICMP echo/echo-replies.  We block those at all 
> >our transit points and dial-up ports.  Nachi was killing our cisco 
  ^^^
> >access-servers until we did this to stop the spread.
   

> I know what they are and how to get around them. I just look down on people
> dropping my packets in their backbones without reason.

I wasn't joking or kidding about the above.  Many others who run dialup 
services saw similar problems (both with cisco and other vendor's gear).  
Blocking these size/type packets, as per suggestions from cisco's web site 
was the easiest way to keep our network up, and prevent additional 
infections both into and out from our customers.

Have others who implemented them dropped their echo/echo-reply 92-byte 
filters?

If tracert defaulted to udp like just about every "unix" traceroute or 
allowed you to vary the packet size or protocol, this wouldn't be as much 
of an issue.
  
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: New IPv4 Allocation to ARIN

2004-01-16 Thread jlewis

On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote:

> Of course, if they tried to run the test *before* assigning the
> block, it should fail, because it should still be in everyone's
> bogon filters.  ^_^

So before assigning a block, mark it as "Pending assignment" or "Assigned 
to IANA".  

> their bogon filters.  It would also require that the RIR
> to whom the block has been assigned arrange with their
> upstream to have the test block routed; 

That's trivial.

> perhaps they could use the top block from the new assignment for the
> test subnet, and then begin assigning from the bottom; hopefully by the
> time any substantial portion of the space has been allocated, the need
> for the test subnet will have passed, and the block can be used as part

Unfortunately, I doubt that.  ARIN's been assigning from 69/8 for a year 
or more and there are still lots of networks filtering it.  If RIR's were 
to setup such testing sites, it'd probably make sense to simply reserve 
the minimum allocation size block from each IANA assigned block and assume 
it will be used for reachability testing pretty much indefinitely.  Maybe 
they could be recycled after a number of years. 

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: New IPv4 Allocation to ARIN

2004-01-16 Thread jlewis

On Fri, 16 Jan 2004, Petri Helenius wrote:

> >I wouldn't be surprised if more people are filtering 69/8 now than before,
> >roughly 40% of the spam hitting my servers is from there.

That's likely going to be true of each newly allocated block as spammers 
move around, move into them, or even scam the RIRs into allocating IPs 
directly to them.

> It also seems that 69box.atlantic.net (or someone nearby) is filtering 
> one specific size of ICMP packets.
> 
> Is certain packet size also considered a "bogon" or is this something 
> that will eventually be removed
> from the filters?

It's those dang Nachi-sized ICMP echo/echo-replies.  We block those at all 
our transit points and dial-up ports.  Nachi was killing our cisco 
access-servers until we did this to stop the spread.

Unfortunately, this breaks Windows tracert as it uses 92-byte echo 
requests.  Use a "real" traceroute, and you won't see this problem.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: New IPv4 Allocation to ARIN

2004-01-16 Thread jlewis

On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote:

> On Fri, 16 Jan 2004 11:34:18 EST, [EMAIL PROTECTED]  said:
> 
> > There are still numerous networks blocking 69/8.  Probably more blocking 
> > 70/8 as most of the people who were behind the times with their filters 
> > blocking 69/8 fixed that /8 but still don't keep their filters up to date.
> > 
> > http://69box.atlantic.net/cgi-bin/bogon
> 
> Can an early adopter of 70/8 please give Jon an address? :)

I was actually going to suggest that, but I've been pretty busy lately and 
can't guarantee how fast I'd get it setup and testing.  If someone did 
want to lend me a small chunk of 70/8 (whatever minimum size might make it 
through most prefix length filters) I would have no problem with making a 
"70box" interface on 69box and testing reachability to the hosts checked 
when 69box was setup.

Alternatively, the RIRs might consider doing this sort of thing before
allocating IPs from new blocks.  I know it's not their job to make sure
IPs are routable (especially not on every remote network), but as holders
of all the IPs, they are in the best position to setup such test sites
that would expose problems before they're dumped on members.  The only
slightly tricky part is coming up with a large population of remote IPs to
test for reachability.

Or, perhaps IANA could even do this before assigning an IP block to an 
RIR.

If either type of the above orgs wants to do this, I'm sure people from
the community would be willing to help out if they don't have or don't 
want to dedicate staff to this type of project.  It could be left to the 
community (or those who have been allocated or expect to be allocated 
IPs from these blocks) to try to notify broken networks about their 
outdated filters.  I know from my own experience with it, that it's a pain 
to do since it's not always clear who to contact, and even when you get 
the right contact, they may not understand/care about the problem.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: New IPv4 Allocation to ARIN

2004-01-16 Thread jlewis

On Fri, 16 Jan 2004 [EMAIL PROTECTED] wrote:

> On Thu, 15 Jan 2004 15:31:37 PST, Steve Conte <[EMAIL PROTECTED]>  said:
> 
> > This is to inform you that the IANA has allocated 70/8 to ARIN.
> 
> All you early adopters of 69/8 now have somebody to share your pain with

There are still numerous networks blocking 69/8.  Probably more blocking 
70/8 as most of the people who were behind the times with their filters 
blocking 69/8 fixed that /8 but still don't keep their filters up to date.

http://69box.atlantic.net/cgi-bin/bogon

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: PC Routers (was Re: /24s run amuck)

2004-01-14 Thread jlewis

On Wed, 14 Jan 2004, Stephen J. Wilcox wrote:

> Have been discussing PCs for a bit but as yet not deployed one, as I
> understand it a *nix based PC running Zebra will work pretty fine but
> has the constraints that:
> 
> o) It has no features - not a problem for a lot of purposes

Which "no features"?  I haven't played with zebra yet, but my 
understanding is that it supports a large subset of the IOS BGP config 
language including application of route-maps to incoming/outgoing routes, 
and therefore things like prepending, setting metrics or preference, etc.  
Am I mistaken?

> o) On a standard PCI but your limit is about 350Mb, you can increase that to a 
> couple of Gb using 64-bit fancy thingies

The application where I'm caring for one of these is around a dozen T1's
to several different transit providers on a Gateway router.  According to 
Imagestream, this router can handle up to 1 OC3 at "wire speed".  We're 
obviously not pushing anywhere near that through it.  The same customer 
has a handful of Rebel routers used for T1s/ethernets within their 
network.

> o) This may be fixed but I found it slow to update the kernel routing table
> which isnt designed to take 12 routes being added at once
> 
> Icky, could perhaps cause issues if theres a major reconvergence due to an 
> adjacent backbone router failing etc, might be okay tho

I've never timed it, but I haven't noticed it taking routes any slower 
than the ciscos I'm used to.

> o) As its entirely process based it will hurt badly in a DoS attack
> 
> This is a show stopper. I need the box to stay up in an attack and be responsive 
> to me whilst I attempt to find the source.

But it's got so much more CPU power than comparably priced ciscos...and 
most of the cisco gear I've worked on doesn't to terribly well under 
DoS...so I don't see a distinction here.  Either way, getting DoS'd sucks, 
but I've never seen a DoS hit any of the Imagestreams, so I don't know how 
it copes.

> I'm not an expert in PC hardware, so I do struggle to work out the
> architecture that I need and I'm sure its possible to build boxes that
> are optimised for this purpose however I'm still not convinced that the
> box can keep up with the demands of day to day packet switching - I'd

Their bigger routers, I'm pretty sure, have multiple PCI buses, so if you 
wanted to push lots of traffic, careful planning of which bus you put each 
card in may make a difference.  Their tech support is pretty responsive, 
so they'd be the place to go with technical/architectural questions.

Another nice feature is with iptables, they can now do stateful 
firewalling / connection tracking.

------
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: /24s run amuck

2004-01-14 Thread jlewis

On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote:

> I stand corrected. The following page comparing Cisco and Imagestream
> is quite interesting.
> 
> http://www.imagestream.com/Cisco_Comparison.html
> 
> How many of you would buy an Imagestream box to evaluate for
> your next network buildout? 

I've been managing a couple of these for a customer for a couple of years.  
They work.  The main problem I'd have with trying to use them on our 
network is a lack of certain features I'm either used to or totally 
dependent on in our ciscos.  

i.e.
MPLSVPN (lack of it) would be a show stopper for us.
The gated-public they come with lacks features...AFAIK there is no support 
for communities, prepending, etc.
Their current software image does include zebra now, but last I looked it 
was not officially supported.

For a relatively simple end-user BGP customer, it works fine.  And the
nice thing is it's PC-type hardware so if you need more RAM, just throw in
another dimm.  No worries about the global routing table growing and
having to buy a bigger router because your year or two old one no longer
supports enough memory to hold full routes.  I suspect the CPUs are
upgradable as well...but I've never actually touched the hardware...I've
always worked on it remotely.

OS-wise, it's a minimal Linux distribution with a menu interface (or you
can drop to a shell) and there is a little space on the flash to add 
additional software if there something you want that they don't supply.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



RE: GSR, 7600, Juniper M?, oh my!

2004-01-07 Thread jlewis

On Wed, 7 Jan 2004, Michel Py wrote:

> > I've heard conflicting reports, is a 7206 faster at packet switching
> > than a 7507?
> 
> Greatly depends what's inside it. Sure, if your 7507 has an RSP2 (which
> basically is a 3640 on a blade) and legacy (meaning, non-dcef) blades a
> 7206 will beat the crud out of it. However, a loaded 7206 with a low-end
> NPE can choke when the 7507 with an RSP16 and recent VIPs will sail
> smoothly.

Even comparing a VXR with NPE300 to a 7500 with RSP4 and VIP2-50's, the
7206 will melt down and cease functioning properly on traffic levels the
7500 handles without breaking a sweat.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net        |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Stopping ip range scans

2003-12-29 Thread jlewis

On Mon, 29 Dec 2003 [EMAIL PROTECTED] wrote:

>  Recently (this year...) I've noticed increasing number of ip range scans 
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially. At first I attributed all this to various 

What ports are being probed?  SOP for script kiddies for at least 10 years 
has been find a box you can hack root on, install a vulnerability scanner 
for the remote-root vulnerability d'jour, fire it up, and come back in a 
day or so to see what you've found.  Then hack the newly found vulnerable 
boxes, install the scanner on each of them, and repeat the process.  Some 
of these packages have done things like download the .com zone (back when 
F allowed this) and scan all NS's for bind vulnerabilities.  Others just 
pick a random IP and scan sequentially higher IPs.  More recently, some 
packages have combined the scanning and hacking.

If you don't want the scans, block everything you don't want at your
router.  Otherwise, just make sure your systems are up to date.  A common
OS with unpatched known remotely exploitable holes doesn't last long on an
unfiltered internet connection.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: a note to those who would automate their rejection notices

2003-12-27 Thread jlewis

On Sat, 27 Dec 2003, Paul Vixie wrote:

> today AOL thoughtfully supplied the following to [EMAIL PROTECTED]:

Did they really?

>   [EMAIL PROTECTED]
> SMTP error from remote mailer after initial connection:
> host mailin-02.mx.aol.com [64.12.137.89]:
> 554-(RLY:B1)  The information presently available to AOL indicates this
> 554-server is generating high volumes of member complaints from AOL's
> 554-member base.  Based on AOL's Unsolicited Bulk E-mail policy at
> 554-http://www.aol.com/info/bulkemail.html AOL may not accept further
> 554-e-mail transactions from this server or domain.  For more information,
> 554 please visit http://postmaster.info.aol.com.
> 
> this was in response to what the e-mail community refers to as a "trivial
> forgery", whose salient headers were:
> 
>Return-path: <[EMAIL PROTECTED]>
>Received: from port-212-202-52-233.reverse.qsc.de
>   ([212.202.52.233] helo=1-online-poker-video.com)
>   by mx01.qsc.de with esmtp (Exim 3.35 #1)
>   id 1AQIw9-bF-00; Sun, 30 Nov 2003 05:11:58 +0100
>Message-ID: <[EMAIL PROTECTED]>
>From: "Ediva Clapp" <[EMAIL PROTECTED]>

You didn't include much of the bounce, but from what you did include, I'm 
guessing this is similar to lots of spam bounces I've gotten.  
port-212-202-52-233.reverse.qsc.de originated the message (most likely via 
a trojan spam proxy/emitter thats infected it) and sent the spam through a 
local mail server, mx01.qsc.de.  mx01.qsc.de is actually the system 
blacklisted by AOL.  When it failed to deliver this spam to AOL, it tried 
returning it to the "sender", which likely landed the message in a 
catch-all email box at vix.com.

Assuming that's what happened, this isn't AOL's fault at all.

> them was "must scale indefinitely".  a simple application of this principle
> toward anti-virus and anti-spam automated rejection notices is to ignore
> the envelope and ignore the header and just focus on the peer IP address:
> 
>To: [EMAIL PROTECTED]

That too will bounce.  I haven't checked, but I'd bet 
port-212-202-52-233.reverse.qsc.de (212.202.52.233) is an end-user running 
some flavor of Windows and does not run an SMTPd.

> "don't make me stop this car, kids."
> 
> ...and to all a good night.

When did this become SPAM-L?  This sort of thing's been talked about on 
several of the "other spam lists" for a few weeks since some spamware app 
started using "local MX's" as relays, likely to circumvent DNSBLs and 
outbound 25/tcp blocking.
 
We're all going to have to come up with patches or hacks to "rate-limit" 
outgoing email by originating IP, or things are really going to get ugly 
as ISPs start blacklisting each other's mail servers to stop this sort of 
relayed spam.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: IANA down?

2003-12-21 Thread jlewis

On Sun, 21 Dec 2003, Etaoin Shrdlu wrote:

> It's you, or something in between. FYI, a traceroute dies at about Los
> Nettos, in SoCal (at 207.151.118.18), and I know that they don't ordinarily
> block ICMP...

I _can_ ping www.iana.org, can't traceroute to it, and the actual web page 
eventually came up very slowly (long delay).  Traceroutes die with either:

15  POS7-0.GW6.LAX9.ALTER.NET (152.63.116.101)  87.960 ms  88.537 ms  
86.978 ms
16  icann-gw.customer.alter.net (157.130.247.6)  272.316 ms  128.823 ms  
229.495 ms
17  * * *

or 

15  POS7-0.GW6.LAX9.ALTER.NET (152.63.116.101)  87.498 ms  93.552 ms  
87.251 ms
16  icann-gw.customer.alter.net (157.130.247.6)  92.130 ms  93.301 ms  
90.516 ms17  * icann-gw.customer.alter.net (157.130.247.6)  91.212 ms !X *
18  * * *

Somebody DoS'ing www.iana.org?

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Bandwidth Control Question

2003-12-19 Thread jlewis

On Fri, 19 Dec 2003, Randy Bush wrote:

> 
> > PA-2FE-FX$5000/card$25.00/Mbit
> 
> $2,000 on ebay

And for the 7500s, you can get POSIP full cards for $250-$1000 depending 
on fiber type, also from ebay.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: AOL postmaster (new request)

2003-12-02 Thread jlewis

On Tue, 2 Dec 2003, Derrick Bennett wrote:

> I really hate doing this but after 5 days and no one at AOL's helpdesk
> can even tell me why our subnets are being blocked. Can someone with the
> Postmaster helpdesk level 2 or higher please contact me. I have a
> ticket, I have followed all the rules, and I am still being told that no
> one knows why the block is there and no one knows when I will get a

I'd have thought this was common knowledge by now...enough of us have gone 
through it.

Do you currently get scomp reports from AOL for your IP space?
If not, tell their helpdesk people you want to get setup for scomp 
reports.

The most likely reason for AOL blocking you is they've received greater 
than some threshold of AOL user spam complaints for email originating at 
or relayed through your network.

Have you verified that they're blocking entire subnets or all of your IP 
space, or is it just one or a few mail server IPs?  If it's just a few 
IPs, the quickest fix is to add some additional IPs to your outgoing mail 
server(s) and make them talk to AOL using the new IPs.  That will get mail 
flowing again, but you still need to track down and deal with whatever 
problem caused them to block you, or your new IPs will end up blocked as 
well.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Above.net problems ??

2003-11-25 Thread jlewis

On Tue, 25 Nov 2003, hostmaster wrote:

> anyone having trouble with above.net at the moment ?

I'm sure somebody is.  I have a problem with the way they filter portions 
of the internet (which I'm just assuming has not been resolved internally 
yet).  Perhaps you're asking about their outage in/to Europe today which 
they say is being caused by a failure in undersea fiber.  Apparently 
that's going to take weeks to get fixed, so they're looking at alternative 
connectivity to replace it while it's down.

 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Reachability problems for www.listen-to.com

2003-11-13 Thread jlewis

On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote:

> > We received a 69.144/16 from ARIN and spent the following few months
> > requesting numerous operators to take that space out of their filters.
> > Apparently for various historical reasons many operators filter the entire
> > 69. Block.  That could be part of the problem.
> 
> http://not69box.atlantic.net/
> http://not69box.atlantic.net/cgi-bin/bogon

If you tried these links recently and got an odd message about "Your web
site is currently down.", please try again.  Someone just pointed out that
I'd managed to break the site for access from outside our network while
making some IP changes on it a few weeks ago.  I've tested it from off-net
now and verified it's back up at both not69box.atlantic.net (209.208/17
IP) and 69box.atlantic.net (69/8 IP).

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Reachability problems for www.listen-to.com

2003-11-13 Thread jlewis

On Thu, 13 Nov 2003, Fisher, Shawn wrote:

> We received a 69.144/16 from ARIN and spent the following few months
> requesting numerous operators to take that space out of their filters.
> Apparently for various historical reasons many operators filter the entire
> 69. Block.  That could be part of the problem.

http://not69box.atlantic.net/
http://not69box.atlantic.net/cgi-bin/bogon

That second page makes it really easy to see if 69/8 filters are the 
problem.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: No "encapsulation" command on IOS 12.2(12a) ??

2003-10-24 Thread jlewis

This is what http://cio.cisco.com/go/fn is for.  You need a "plus" version 
for VLAN support on the 3620.  i.e. IP Plus, Enterprise Plus, etc.  Your 
IP version below doesn't include the feature you're looking for.

On Fri, 24 Oct 2003, Roman Volf wrote:

> 
> Show Version:
> 
> Cisco Internetwork Operating System Software
> IOS (tm) 3600 Software (C3620-I-M), Version 12.2(12a), RELEASE SOFTWARE (fc1)
> 
> flash image:
> System image file is "flash:c3620-i-mz.122-12a.bin"
> 
> 
> I'm trying to configure a FastEthernet sub interface for 802.1q VLANs, but
> theres no encapsulation command. I've googled it up for about 2 hours and
> have come up with nothing... the following command sequence is documented
> dozens of times:
> 
> As shown on:
> 
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/8021q.htm#wp3944
> interface fastethernet slot/port.subinterface-number
> encapsulation dot1q vlanid
> 
> 
> Any help would be appreciated.
> 

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Pitfalls of _accepting_ /24s

2003-10-16 Thread jlewis

On the topic of announcing PA /24's, what procedures do you take to make
sure that a new customer who want's to announce a few PA (P being one or
more P's other than yourself) IP space is legit and should be announcing 
that IP space?  

I'm not sure what they do internally, but I know Sprint, C&W, UUNet,
Genuity, Level3, MFN and Broadwing will all comply with a customer's
request to route space with nothing in writing other than an email request
/ webform filled out / route objects properly setup.  A client multihomed
to a few of those providers (and who has a /24 from each provider) just
signed up with a 4th provider.  P4 wants an LOA on company letterhead from
each other P authorizing the client to announce those other P's /24's.

This is the first time I've ever heard of such precautions.  The client 
was really not ammused, but I explained that it's possible P4 (who has a 
rep for doing business with spammers) has gotten burned by customers 
announcing hijacked (or otherwise unauthorized) blocks and just wants to 
be extra careful now.

Personally, I just check whois, and if it looks legit, I'll listen to 
those routes and even create their route objects as necessary, since some 
of our upstreams require that.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Extreme BlackDiamond

2003-10-13 Thread jlewis

On Mon, 13 Oct 2003, Richard A Steenbergen wrote:

> Is it just me, or could nanog really benefit from being moderated, or at
> least nanog-post being access controlled? God knows why I've kept skimming
> it even after the majority of actual clueful network operators have long

Are you volunteering to be the moderator?  Moderation is alot of work, 
and/or would slow the list down to a crawl.

Perhaps limiting who can post would be somewhat useful though.  Perhaps 
only people actually operating "real networks", where "real networks" are 
somehow defined by their size or their participation in BGP.

>From here, [EMAIL PROTECTED] looks like a relatively small colo 
customer.  What's he looking at big switches for?  More importantly, does 
anyone care?

As long as I'm ranting, what about all the recent "could someone with clue
from Network X please contact me privately?" posts?  If I was that person
at Network X, I'd want to know what your issue was before I bothered
contacting you (very few of these posts have included any problem
description)...both so that I could look at the problem (if there was one)
before contacting you, so that I could have the appropriate person contact
you (if I'm not it), and so I could not waste the time if you're trying to
contact me about an issue (or non-issue) you have no business wasting my
time with.

network:Class-Name:network
network:ID:332.209.51.128.0/19
network:Auth-Area:209.51.128.0/19
network:Network-Name:eservers-00037-01
network:IP-Network:209.51.159.224/29
network:Organization;I:eServers dot biz
network:Tech-Contact;I:[EMAIL PROTECTED]
network:Admin-Contact;I:664.dv2.net
network:Created:20020906
network:Updated:20020906
network:Updated-By:[EMAIL PROTECTED]

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




Re: AOL mail server problems?

2003-10-12 Thread jlewis

On Sun, 12 Oct 2003, Brian Bruns wrote:

> I've noticed some weird things going on with AOL's smtp servers today -
> 2003-10-12 12:37:48 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com
> [64.12.138.89] closed connection in response to initial connection
> 2003-10-12 12:37:55 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com
> [64.12.136.153] closed connection in response to initial connection
> 2003-10-12 12:38:35 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com
> [152.163.224.122] closed connection in response to initial connection

They're probably blocking you.  Have you gotten many scomp complaints 
recently?...perhaps a big backlog of them that you/your abuse people 
haven't dealt with?  Last time I dealt with AOL blocking us, that was the 
cause, and the result was mixed.  Sometimes we'd get the connection closed 
as above, sometimes a 550 message telling us we were blocked.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Block all servers?

2003-10-11 Thread jlewis

Didn't susan ask for this topic to move off-list?  Anybody (no...not
Merit) care to step up and create a nanog-issues list where such 
discussions can continue unmolested when the nanog topic police declare an 
important topic off-topic?  

I can understand how some operators might not want to hang out with the
masses in spam-l or spam-tools, or waste their time with the noise and
kooks in nanae.  But these are some pretty serious problems and if we
can't come up with solutions soon, the internet is pretty much totally
screwed.

See more below

On Sat, 11 Oct 2003, Petri Helenius wrote:

> Secondly, it´s very hard, if impossible to come up with a NAT device which
> could translate a significant amount of bandwidth. Coming up with one to put
> just a single large DSLAM behind is tricky. (OC-12 level of bandwidth)

So do the NAT closer to the edge.  If you're providing DSL, do many of 
your customers use DSL modems plugged into their PCs (USB, PCI)?, or are 
you selling/leasing them DSL routers?  In the very beginning, we either 
sold or gave PCI or USB DSL modems to our customers, but those were 
usually a PITA to support due to problems with windows, driver issues, 
hardware becoming unsupported when customers upgraded to the next version 
of windows, etc.  Now, we only hook up DSL customers using DSL routers, 
and all the DSL routers we've ever used can do NAT, so there'd be no need 
to try to do NAT at the DSL agg router.

I suspect we could selectively do NAT or not for dial-up customers on our 
access-servers...though I'm not sure how the very large (like AS5400, 
AS5800) units would fare trying to do NAT for several hundred dial-up 
sessions. 

But why all this talk of NAT?  Even if we all universally deployed it on 
monday, it wouldn't solve the problem.  All it would do is keep the 
spammer/hackers from turning grandma's PC into a web server/proxy.  She 
can still catch tuesday's email virus which will cause her PC to hang out 
in some IRC channel or monitor some web page, and be remotely controlled 
for the purpose of sending spam, participating in DDoS floods...and now 
things just got much harder to track down.  When you get complaints that 
a.b.c.d is participating in some kind of attack, how do you tell which of 
the dozens or hundreds of customers NAT'd to that IP is 
responsible/infected?


--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-09 Thread jlewis

On Thu, 9 Oct 2003, Joe Boyce wrote:

> VA> Personally, I think preventing residential broadband customers from hosting 
> VA> servers would limit a lot of that. I'm not saying that IS the solution. 
> 
> It's not like those customers are aware they are hosting servers, they
> most likely were exploited and are now unaware they are hosting
> websites.

That's obviously the case.  No spammer has "thousands" of legitimately 
purchased DSL/Cable connections.  The article pretty clearly says they're 
exploiting insecure windows (isn't that redundant?) boxes.

Trouble is, how do you stop this?  Just blocking common ports like 80 by
default (unless the customer plans to actually run a web server and asks
for the filter to be removed) won't work.  The spammers can just as easily
spam with urls containing ports (http://blah.biz:8290/) if they find 80
is filtered or find that filtering has become common.

So other than waiting some infinitely long time for a secure out of the 
box version of windows (and for everyone to upgrade), how do you stop 
this?  Widespread deployment of reflexive access lists?  Force all 
broadband customers to use NAT and let them forward ports or entire IPs to 
their private IP servers if they have any?  Wait for the legal system to 
catch and prosecute a few people who do this and deter others from trying 
it?  Convince registrars to kill domains that are clearly being used by 
thieves?
  
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: ftp.cisco.com broken ?

2003-10-07 Thread jlewis

On Tue, 7 Oct 2003, Ezequiel Carson wrote:

>   can you resolve ftp.cisco.com?
>   
> [EMAIL PROTECTED] /]# ping ftp.cisco.com
> ping: unknown host ftp.cisco.com
> [EMAIL PROTECTED] /]#

Probably something to do with the DDoS they said they were under 
yesterday.

Non-authoritative answer:
Name:   ftp.cisco.com
Address: 64.102.255.95

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re[2]: CCO/cisco.com issues.

2003-10-06 Thread jlewis

On Mon, 6 Oct 2003, Allan Liska wrote:

> KS> The following well-remembered lines come to mind here, and excuse me if
> KS> you hear a slight hysterical laughter from my direction:
> 
> I don't know what your post has to do with the original topic, but if
> you don't like the way NONOG is moderated, please feel free to start
> your own Network Operators mailing list.

I'm only guessing here, but I think what he may have meant was:

First They Came for the IRC bots
and I did not speak out
because I did not run a bot.
Then They Came for the IRC servers
and I did not speak out
because I did not run an IRC server.
...skip a few years...
Then They Came for the DNSBLs
and I did not speak out
because I did not run a DNSBL.

Now that they've come for cisco, maybe law enforcement, network operators, 
and router vendors will all get their $h!t together and do something to 
put a stop to these DDoS attacks that have been going on in various forms 
for several years.

A handful of people (an assumption on my part) have the power /
distributed bandwidth to bring just about any internet site/network to its
knees using the distributed.net meets DoS tools they've created and
distributed to thousands, perhaps millions of internet connected windows
boxes.

Anyone who doesn't think that's an operational issue, just wait until it 
bites you on the ass. 

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_





Re: what happened to ARIN tonight ?

2003-09-28 Thread jlewis

On Sun, 28 Sep 2003, Robert Boyle wrote:

> I see them via a UUNet announcement through Veroxity and Sprint transit, 
> but I don't see it via any other peer or transit provider. Are they 
> multi-homed?

I only see them via uunet as well.  I noticed earlier that they were
supressed due to dampening (must have had some issues with their
connection and flapped one too many times).

They seem to be back now.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: AOL Proxy Servers not connecting via https - resolved

2003-09-25 Thread jlewis

On Thu, 25 Sep 2003, Ron da Silva wrote:

> 
> On Thu, Sep 25, 2003 at 06:11:23PM -0400, Brian Bruns wrote:
> > 
> > This might be helpful to people setting up ACLs and the like:
> > 
> > http://webmaster.info.aol.com/proxyinfo.html
> 
> I think the point that Mike was making is that RFC1918
> space is 172.16.0.0/20 not a /8.

At least two people have posted incorrectly about 172.16, wrt who has what 
and how big it is.

Rekhter, et al   Best Current Practice  [Page 3]
RFC 1918Address Allocation for Private Internets   February 1996

3. Private Address Space

   The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:

 10.0.0.0-   10.255.255.255  (10/8 prefix)
 172.16.0.0  -   172.31.255.255  (172.16/12 prefix)
 192.168.0.0 -   192.168.255.255 (192.168/16 prefix)

AOL has

NetRange:   172.128.0.0 - 172.191.255.255 
CIDR:   172.128.0.0/10 
NetRange:   172.192.0.0 - 172.211.255.255 
CIDR:   172.192.0.0/12, 172.208.0.0/14 

and apparently a bunch of other blocks.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: williams spamhaus blacklist

2003-09-25 Thread jlewis

On Wed, 24 Sep 2003, Leo Bicknell wrote:

> What you're missing in my argument is that it doesn't matter.  I
> have no idea who Eddy Marin is, nor do I care.  Blocking wcg's
> corporate mail servers is not the solution.  Sure, it may get
> someone's attention at wcg, but it may also harm a lot of "innocent"
> communications, sales talking to clients, other wiltel customers
> requesting support, heck, the secretary ordering lunch to be
> delivered.

But it's ok when AboveNet does it?...or actually does much worse by
secretly and arbitrarily blackholing various networks at will, while
advertising connectivity to those networks to their BGP customers and
peers?

This means anyone connected to AboveNet will be unable to reach those
blackholed victims if the routes to those destinations propogated by
AboveNet appear to be their "best route" to the affected networks.  This
breaks connectivity even though we have multiple other transit providers.

This is much worse than a Spamhaus (or any other DNSBL) listing since
anyone using such services does so by choice and can decide for themself
what action to take, if any, for listed addresses.  With AboveNet
blackhole routing, our only option, once we're aware of the problem, is to
make changes to our routing policy and force traffic away from AboveNet
and onto one of our other transit providers.

We only find out about such AboveNet blackhole routes when we open a
ticket with AboveNet to ask why your network is broken when our customers
complain of networks they can't reach when using our service (i.e. banks
that can't reach their staff training web sites), but they can reach from
other service providers, so they inform us that our network is broken.  
Who's attention is AboveNet trying to get?

Anyone taking BGP routes from AboveNet, or worse yet, single homed to
AboveNet, ought to be aware of this policy.  At the very least, you should
make sure whoever does your BGP is aware of it and knows how to reroute
traffic when the "best route" doesn't actually work.  You also might bring
it up with your sales person when it's time to renew.

The central image on www.above.net boasts of "Unconstrained Information
Exchange".  I wish that were true.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_








Re: monkeys.dom UPL being DDOSed to death

2003-09-23 Thread jlewis

On Tue, 23 Sep 2003, Geo. wrote:

> If any of the dos'ed to death rbls really want's to get back at the spammers
> it's easy. Write software that allows any ISP or business to use their mail
> servers and their customers/employees (via a foward to address) to maintain
> their own highly dynamic blacklist.

Already been done.  http://spamikaze.nl.linux.org/

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: monkeys.dom UPL being DDOSed to death

2003-09-23 Thread jlewis

On Tue, 23 Sep 2003, Jason Slagle wrote:

> It's somewhat funny.  Quite some time ago, us IRC server operators warned
> about this same thing, and were mostly just told to "not run IRC servers."

A private IRC server with one user isn't much fun.

> The anti-spammers will likely just get told to "not run DNSBL's."  This
> only works up until the point that it's YOUR service thats getting hit and
> people tell you to stop running it.

A private DNSBL with one user works just fine.

If whoever is behind this succeeds in "driving all the DNSBLs off the net" 
what they'll really do is drive them all underground.  In the short term, 
lots of networks will lose access to the public DNSBLs they've been using.  
The spammers will rejoice, but that will only fuel the creation of 
hundreds (maybe thousands) of new private DNSBLs.  Necessity is the mother 
of invention.  Those with clue, will run their own.  Alot of those without 
will too.  Some will likely even latch onto the "last snapshot" they got 
before the DNSBLs they were syncing went offline/private.  These will, of 
course, get out of date and out of sync almost immediately.  

Once you host a customer who turns out to be a spammer, good luck getting 
those IPs removed from 1 private DNSBLs.  E-mail abuse management may 
be the next field to really open up with job opportunities as networks 
will have to contact a large portion of the internet to try to get IPs 
cleared from everyone's private DNSBL...most of which will be poorly 
documented if at all.

Just over 2 years ago, I posted a message titled "Affects of the 
balkanization of mail blacklisting" about how ex-MAPS users were using 
out-of-sync copies of the MAPS DUL after MAPS went commercial and those 
networks presumably lost access to the data.  I guess that was just the 
tip of the iceberg.
 

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: VeriSign SMTP reject server updated

2003-09-21 Thread jlewis

On Sat, 20 Sep 2003, Avleen Vig wrote:

> > > We are interested in feedback on the best way within the SMTP protocol
> > > to definitively reject mail at these servers.  One alternate option we
> > [snip]
> 
> The correct "solution" is to remove the wildcarding.
> Until that happens, the best thing to do IS accept and then reject mail.
> This is significantly better than leaving it to expire in a spool after
> 5 days.

Did someone already suggest adding an MX to the * record that points to a 
nonexistent host (obviously in some other TLD)?  At least in my 
environment (sendmail/bind9/Linux), I can setup a wildcard record with an 
A 
record and an MX record pointing to a bogus host, and mail bounces 
immediately.

550 5.1.2 <[EMAIL PROTECTED]>... Host unknown (Name server:
nomail.invalid.: host not found)

I think the whole wildcards in .com/.net is a bogus idea...but this sort
of setup would at least keep lots of mail from trying to get delivered to
VeriSlime.  I've already had to fix one old SpamAssassin installation that
was scoring mail based on hits in one of the dorkslayers.com dnsbls that
no longer exists.  It seems dorkslayers.com has decided to fix this by
registering some name servers again.  Until recently, they'd taken the
name server records off the domain, and so VeriSlime had hijacked
dorkslayers.com, turning it and all its subzones into a 0/0 dnsbl.

modified: 2003-09-16 15:52:46 UTC JORE-1

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Worst design decisions?

2003-09-21 Thread jlewis

The off-topic nanog thread that won't die (where are the topic
police?...never around when you need one)...and then just when you think
it has died, some member's virus infected Microsoft Windows PC (hey is
that redundant?) replies to you with the thread's subject and no body
other than a virus attachment, even though you never replied (on-list) to
the thread.

Whoever you are, do everyone a favor and turn off your PC.

Received: from speedbd.speedbd.net (212-165-128-186.reverse.newskies.net
[212.165.128.186] (may be forged))
by sloth.lewis.org (8.11.6/8.11.6) with SMTP id h8L7A4P09167
for <[EMAIL PROTECTED]>; Sun, 21 Sep 2003 03:10:19 -0400

My vote for worst design decision?  Easy.  Lookout Virus Express.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




Re: Providers removing blocks on port 135?

2003-09-20 Thread jlewis

On Sat, 20 Sep 2003, Justin Shore wrote:

> This veers off the original topic.  Of course I don't think any of us
> recall what that was anyways...  I remember back when I first started
> using the DUL.  Of all the DNSBLs I used at the time it blocked the most
> spam of any of them.  I mean that by long shot.  About the time the DUL
> and other MAPS lists went commericial is about the same time I noticed
> fewer and fewer hits on the DUL.  We still pay for an AXFR (IXFR) of it
> but it doesn't block nearly as much as it used to.

At one time, signing up for "throwaway dial-up accounts" was a common
spammer MO.  We got hit a couple times, and they were like a plague of
vermin [the spammers].  They'd sign up giving us bogus contact info and a
freshly stolen (active) credit card.  When the account was activated,
they'd dial in using half a dozen or so lines and pump out as much spam
(direct-to-MX) as they could.  The really annoying bit is, we'd terminate
them, they'd call right back, and sign up again, giving different bogus
info and card numbers.  We'd block them by ANI, and they'd block caller-ID
when calling us.  I ended up being forced to block access to some of our
dial-up numbers both by ANI, and if there was no ANI, and then had to
setup exceptions for a few customers in those areas who we never got ANI
for.  When I tried getting police in their areacode to investigate, they
had no interest/were too busy...even though I could give them phone
numbers the accounts were used from and stolen credit cards.

To put a little operational spin in here...how many of you run dial-up 
networks where you refuse logins unless you get ANI?...and if you do this, 
do you also maintain an ANI blacklist?

Anyway...they moved on to proxy abuse, then outright theft by creating
their own proxies on compromised MS Windows boxes.  Both methods have the
advantage of totally hiding the spammer from the recipients and bandwidth
amplification.  I imagine you could utilize multiple spam proxies on
broadband connections pumping out your spam while connected via dial-up
yourself.

If you look at the numbers at http://njabl.org/stats, about 5% of the
hosts that have ever been checked are currently open relays (or nobody's
bothered to remove them).  IIRC, at one point, this was nearly 20%.  
13.6% are open proxies...and the disparity is definitely still growing,
with about 10x as many open proxies as relays being detected daily.  
Unfortunately, the new breed of purpose-built spam proxies are generally
not remotely detectable, so the proxy percentage would be even higher if
it included the newer spam proxies.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Verisign's New Change and Outdate RBL's

2003-09-16 Thread jlewis

On Tue, 16 Sep 2003, Patrick Muldoon wrote:

> Was playing with a test box here at home. Installed SpamAssassian from a 
> newely cvsup'd ports tree on a FreeBSD box, and was surprised to see 
> messages getting marked as received in blacklists that no longer exist.  
> Most noteably ORBS.  Since this was a fresh Install I hadn't gone 
> through and removed the dead RBL's from 20_head_tests.cf yet.  Since 
> dorkslayers doesn't exist. any queries for it are returning that 
> infamous sitefinder address.
> 
> [EMAIL PROTECTED] doon]$ host  34.131.246.64.orbs.dorkslayers.com
> 34.131.246.64.orbs.dorkslayers.com has address 64.94.110.11

I wonder if they've been playing with these wildcards on and off for a few
weeks?  I have a script that checks for our mail servers in a bunch of
popular DNSBLs periodically.  On and off over the past few weeks, I
started getting notifications from that script that all of our servers
were in the various dorkslayers.com DNSBL zones.  The dorkslayers.com
DNSBLs were all shut down, AFAIK, at least several months ago. I got this
notification again last night, and finally commented out the tests for
those zones.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: 92 Byte ICMP Blocking Problem

2003-09-13 Thread jlewis

That's really weird.  I've been running with 

route-map nachiworm permit 10
 match ip address nachilist
 match length 92 92
 set interface Null0

ip access-list extended nachilist
 permit icmp any any echo
 permit icmp any any echo-reply

ip policy route-map nachiworm

on transit interfaces and the virtual-templates of all our access servers 
that can do it properly (just blocking echo/echo-reply on the older ones 
that can't do the policy) and haven't heard about any customer complaints 
other than "I can't ping" in the places where we've blocked all 
echo/echo-reply.  The routers doing this (7200/7500)'s are all running 
12.2(1-3)S.  Access servers are running mostly 12.1M or 12.2XB code. 

On Fri, 12 Sep 2003, William Devine, II wrote:

> I had the exact same problem.  As soon as I turned it on, within minutes I
> had customers calling that could no longer FTP into Win2k servers and some
> that couldn't SSH into their Linux servers.
> I've since turned it off as well.
> Are there any other known ways to block this?
> 
> - Original Message - 
> From: "Chris Adams" <[EMAIL PROTECTED]>
> To: "Steven M. Bellovin" <[EMAIL PROTECTED]>
> Cc: "Nanog" <[EMAIL PROTECTED]>
> Sent: Friday, September 12, 2003 1:32 PM
> Subject: Re: 92 Byte ICMP Blocking Problem
> 
> > I don't have it in place anymore (because it caused more problems than
> > it fixed), so I can't test this.  In any case, the route map only
> > matched 92 byte ICMP echo and ICMP echo-reply packets, which is not what
> > PMTU uses, so it shouldn't have had a problem.  Also, I know that the
> > MTU along the path for the person in the office is the same all the way,
> > so PMTU shouldn't come into play there.

------
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



RE: Tier-1 without their own backbone?

2003-08-28 Thread jlewis

On Wed, 27 Aug 2003, Sean Crandall wrote:

> I have about 5 GB of IP transit connections from Level3 across 8 markets
> (plus using their facilities for our backbone).  Level3 has been very solid
> on the IP transit side.  
> 
> MFN/AboveNet has also been very good to us.

Another happy Level3 customer.  

We have a similarly sized connection to MFN/AboveNet, which I won't
recommend at this time due to some very questionable null routing they're
doing (propogating routes to destinations, then bitbucketing traffic sent
to them) which is causing complaints from some of our customers and
forcing us to make routing adjustments as the customers notice
MFN/AboveNet has broken our connectivity to these destinations.

Or as they say, I encourage my competitors buy from them.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Re[2]: relays.osirusoft.com

2003-08-27 Thread jlewis

On 27 Aug 2003, Paul Vixie wrote:

> ...because running blackhole lists is surprisingly more hard
> than most people think.  (witness the sorbs.net message here
> a few hours ago complaining of 50Kpkt/day query loads.)  i've

Matt wasn't complaining about query loads.  And 50Kpkt/day in queries is 
nothing anyway.  He was complaining about being DDoS'd by spammers or 
others who just don't like dnsbls.  AFAIK, SORBS, SPEWS, and Osirusoft 
have all been the targets of DDoS's for a few weeks.

> this part, on the other hand...
> 
> >   he's put
> > *.*.*.* in, he's asking people not to use it anymore.
> 
> ...mystifies me.  anyone who has read rfc1034 or rfc1035, even
> if they did not also read rfc2181 or rfc2136 or rfc2308, knows
> that in a zone containing the following wildcardish data:
> 
>   $ORIGIN example.vix.com.
>   *   1H IN A 127.0.0.1
>   *.* 1H IN A 127.0.0.2

This was just a misunderstanding on the part of the previous poster.  
Unless he has a copy of the zone (not likely given the unreliability of 
Joe's DNS servers lately), he wouldn't be able to see this.  I think he 
just wasn't familiar with how wildcards worked and assumed each * only 
matched one [^.]*, which is incorrect.  AFAICT, what he did add was:

*   24H A   127.0.0.2
24H TXT "Please stop using relays.osirusoft.com"

which is much worse than just emptying the zone, removing it from the 
NS's, or shutting down the DNS servers.

> when i deprecated the old $foo.maps.vix.com zones in favour of the their
> corresponding replacements $bar.mail-abuse.org some years ago, i had the
> foresight to ensure that no mail would be blocked by people who failed to
> put in the configuration change.  now you can all see why that was nec'y.

Mail would only have been blocked if you had done something crazy like the
above.

Mail was delayed (and servers put under heavy load waiting for DNS queries 
to time out) when MAPS finally shut off free access without warning (a 
week or more after they originally had warned they'd do it, but gave 
everyone an extension when there was massive public outcry and they were 
unable to keep up with inquiries about buying access).  


--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




Re: Opinion on null0'ing entire 218.0.0.0?

2003-08-26 Thread jlewis

On Tue, 26 Aug 2003, Mikael Abrahamsson wrote:

> > Is anyone getting hundreds of thousands of spasm a day from 218.0.0.0 like I
> > am? Has anyone actually considered null routing the whole block?
> > 
> > Is there actually any 'users' in APNIC space? Or is it all spam from korea?
> 
> Korea has one of the highest ratio of broadband connected households in 
> the world (if not the highest).

That would explain the incredibly large number of open proxies in 218/8.

Drew, I don't think you're being spammed by Koreans...at least not 
directly by the ones delivering the spam to you.  You're more likely just 
being spammed via open proxies that happen to be Korean.

It's your network...do what your customers will let you get away with.
How many Korean customers might you have that will be pissed when they 
find they can't exchange email with family and friends in Korea?  There's 
one sure way to find out.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




Re: FW: TNT issues "workaround"

2003-08-23 Thread jlewis

On Sat, 23 Aug 2003, Ross Chandler wrote:

> > I seem to be having the same or similar problems with my Cisco boxes
> > also , they either reboot or the pris hang , users get busy's but no
> > one is logged in at all , when I do a show isdn status it shows b
> > channels in use but no one on, the only way to fix is reboot the box ,
> > and it seems to be timed , everyday at 1400 and 2200 hours , since
> > Monday anybody body heard of ciscos acting funny this week?
> 
> Perhaps your fast switching route cache is filling up memory. If you're
> willing to risk it enable CEF on all interfaces.

Some of the older cisco access-servers don't even support CEF.  The cisco
failures seem to be memory starvation/fragmentation issues caused by out
of control route-cache growth caused by the nachi worm's attempt to ping
so many different hosts so quickly while looking for systems to spread to.

You can work around the issue by:

a) using policy routing to pass all dialup traffic through a route-map 
that sends 92 byte echo/echo-reply packets to null0.

b) blocking all echo/echo-reply coming in from dial-up users (i.e. apply 
an input acl to your virtual-template and/or group-async interfaces).

c) disabling route caching on the egress interface of the access server.

I'm doing a mix of a (on the access-servers that this works on) and b 
where a doesn't work...and tested c this morning and found it appears to 
work.
  
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Cisco OC-3c card question

2003-08-22 Thread jlewis

On Fri, 22 Aug 2003, Stephen Milton wrote:

> 
> What is the most cost effective equipment to use to connect two
> locations with an OC-3c circuit?  I currently have 7206VXR routers at
> both ends, so would prefer slot cards for those if feasible.

There are PA-POS-OC3 cards (IIRC 3 flavors), and you need to shop for the
right kind to match up with the way your telco provider is handing the 
circuit to you (multimode, single-mode intermediate reach and single-mode 
long reach).

http://www.cisco.com/en/US/products/hw/modules/ps2033/prod_brochure09186a0080091c94.html

I recently needed some OC3 interfaces and went with older POSIP-OC3-50
cards (full size cards for the 7500 series) as they were much cheaper than
PA-POS cards.  They're basically specialized VIP2-50's with a double-wide
POS adaptor.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Hijacked email

2003-08-20 Thread jlewis

On Wed, 20 Aug 2003, Pascal Gloor wrote:

> > Anyone seeing hijacked email addresses with this Sobig-F worm?  I did
> > some research and I know I didn't send anything to Investec Bank of
> > Johannesburg,ZA. On top of that, I definitely did not send a worm.
> 
> same here... seems the worm is not only using the adress book for targets,
> but also as sources..

Is this surprising to anyone?  That's the way the past few Lookout Virus 
Express viruses have worked.  The funny thing is, on this account, I've 
gotten zero copies that I've noticed...just lots of mail from various 
lists talking about it.  

On my work account, I've gotten several this morning and a bunch of 
bounces.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



RE: Working vulnerability? (Cisco exploit)

2003-07-18 Thread jlewis

On Fri, 18 Jul 2003, Ben Buxton wrote:

> It's released and it works - I have verified it in a lab here. 

And others are trying it in the field now.  I setup the recommended
transit ACLs yesterday.  Starting at 9:25am EDT this morning, those ACLs
started getting hits.  What doesn't make sense to me is according to the 
advisory, the packets have to be destined for the router to crash it (not 
just passed through it), but people are attacking seemingly random IPs, 
including ones in a new ARIN block that have not yet been assigned/used 
for anything.  What do they think they're attacking?

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Don't call registry off the map?

2003-06-27 Thread jlewis

On Fri, 27 Jun 2003, Patrick wrote:

> Can anyone reach www.donotcall.gov? Seems to be off the map...
> 
> I guess this is just the publics way of inviting the DMA(Direct Marketing
> Association) to re-evaulate their assertions that the majority of the
> populace enjoys receiving telemarketing calls...

I was able to get the main page around 8am EDT...but even then it was very 
slow.  I entered 3 phone numbers and tried to submit, but it would not 
accept the connection for my form post.  I retried many times around 8am, 
and again just now, and finally got to steps two and three a few minutes 
before 1pm.  I heard from a few people who got all the way to step three 
before 8am EDT, but noone had received the email yet.
  
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: ISPs are asked to block yet another port

2003-06-23 Thread jlewis

On 23 Jun 2003, Paul Vixie wrote:

> 3) thoughtless reactionism at isp's does little good and sometimes some harm.
> 
> take for example port-25 blocking.  i've been getting relayprobed all
> weekend by someone who gets around outbound at&t's tcp/25 SYN blocking
> by sending their SYN's through a provider who shall remain nameless
... 
> so if you're going to block tcp/25 SYNs on outbound, please make sure
> you block SYN/ACK's on input too, or else you just give the spammers a
> little more work to do instead of a lot more work to do.

We used to provide dial-up ports to a large cut-rate dial provider who I'm
not going to name.  Their reaction to such games was to send in their
radius auth packets data filters to block both outgoing to port 25 and
incoming from port 25.

There's nothing silly about restricting use of tcp/25 for dial-ups and 
other dynamics...you just have to do it right to be 100% effective.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



RE: IRR/RADB and BGP

2003-06-22 Thread jlewis

On Fri, 20 Jun 2003, Andy Dills wrote:

> I dunno, there are plenty of smaller ASes who have yet to be forced to
> register their routes.
> 
> We haven't yet been forced, but I finally got motivated to submit them to
> altdb last night. Altdb definitely rocks.

Back when I got PI space in 1998, there were definitely some backbones 
ignoring routes not found in the IRR.  I wonder if they gave up, or people 
just don't notice them anymore.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Network discovery and mapping

2003-06-22 Thread jlewis

On Sun, 22 Jun 2003, Andy Dills wrote:

> That's quite a "medium-scale".
> 
> Is there a single entity in the world that controls 1,000 networks and
> 100,000 network devices?

WorldCom^Hn

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: IRR/RADB and BGP

2003-06-19 Thread jlewis

On Thu, 19 Jun 2003, Randy Bush wrote:

> the providers i know who want irr registration provide their own
> registry for their customers.  if yours does not, there are free
> registries around.

Just in case they don't, or if you'd rather be provider neutral in case
you switch providers or worry the current one will get bought / go under,
there's altdb.net (totally free), and IIRC, ARIN has their own routing
registry, which I think is free for ARIN members to use.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Spam from weird IP 118.189.136.119

2003-06-16 Thread jlewis

On Mon, 16 Jun 2003, Frank Louwers wrote:

> 
> > 
> > "Received: from [118.189.136.119] by smtp-server1.cfl.rr.com with NNFMP;"
> ^
> what's the next/previous line? (The one just above it)

ditto.  I think you've been fooled by forged headers.  Not only is that IP 
in a reserved block, I've never heard of the NNFMP protocol except as 
referenced in poorly forged headers.


--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: rr style scanning of non-customers

2003-06-13 Thread jlewis

On Fri, 13 Jun 2003, Kuhtz, Christian wrote:

> Some ISPs, such as RR, appear to be implementing what I personally would
> consider quite aggressive approaches to guarding their network by
> implementing "proactive" scanning of non-customers, similar to what's
> described at
> 
> http://security.rr.com/probing.htm <http://security.rr.com/probing.htm> 
> 
> In this case, sending email to @rr.com appears to trigger this scanning
> business (mind you, this is not about the scanning their subs biz; I don't

Proactive = scanning for open systems before they come to you.
Reactive = scanning the IPs that connect to you to see if they're open.

They spell this out very clearly on the page referenced above and say that 
they're doing proactive scanning of their own network and reactive 
scanning of the rest of the internet.  Do you have any reason to believe 
they're not doing as they say?

Is it time for the monthy nanog spam debate again already? :)

Unfortunately, what they're looking for is only a small sub-set of the 
commonly used ports by various proxy software typically installed wide 
open on broadband connected systems.  If they're serious about reactive 
scanning, they ought to either update the ports tested or just ally with 
one of the various dnsbls that does this sort of testing (less/more 
effective testing would be the result).

The last time this topic came up, it was suggested by others that either 
trojan or virus software was installing/creating open proxies.  I wrote 
that off as people being overly paranoid.  I'm sorry to say that I now 
know this to be true and have seen many installations of at least one 
strain of such proxy software.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Black box that allows just an A or B DC feed

2003-06-09 Thread jlewis

On Mon, 9 Jun 2003, james wrote:

> 
> Thanks to those who indicated all I need is a relay and some diodes, 
> that I know ! I am more looking for black box that does this and is
> NEBS approved. 

Courtesy of Sean Donelan when I asked about this 6-7 months ago...

See http://www.enewton.com/

Part number 7570221021
FUSE PANEL,-48VDC,C-SOURCE

Their site won't give you any more information about it unless you have a 
login (which I don't).  I had our purchasing person look into this at the 
time, and was told they're quite expensive...so for gear with just one DC 
input, we've been just using one source.  Right now, that's just a few 
pieces.  Just about all our DC gear supports 2 power supplies.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Ettiquette and rules regarding Hijacked ASN's or IP space?

2003-06-09 Thread jlewis

On Mon, 9 Jun 2003, Joe Abley wrote:

> The ISP in Toronto asked for an LOA, and got one, neatly presented on 
> company letterhead, and accompanied by e-mail from the tech contact for 
> the block confirming that the request to advertise the block was 
> authorised.
> 
> Is that enough justification to perform the announcement? Where exactly 
> should the line be drawn?

Unfortunately, probably not.  How do they know it was company letterhead?  
Had they ever seen the company's letterhead before?  How do they know I 
didn't just create that LOA and letterhead in OpenOffice?

> Maybe some service akin to a credit check is required.
> 
>"Hello, I have a request to accept an announcement of 203.97.0.0/17 
> from AS 4768."
>"That request is legitimate according to our records, here is your 
> auth code."

Trouble is, how do you/they know if both the space and ASN have been 
hijacked?

>"Hello, my new customer with the following contact details has asked 
> me to originate 203.167.0.0/18 from AS 9327."
>"We cannot confirm the legitimacy of that request, and the listed 
> contact for 203.167.0.0/18 has been informed of your request."

The listed contact may not be who ARIN [or other local RIR] thinks it is.

> Since the RIRs contain the information required to answer those 
> questions, you'd expect them (or their data) to be involved in the 
> process of answering them.

They really don't.  Thus far, when space is assigned, the RIRs have no way 
to later authenticate that an organization using the space is the same one 
that they assigned it to.

As for the current state of BGP authentication/sanity checking, I can say 
2 of my 4 upstreams take whatever I put in the routing registry.  The 
other two require an email be sent requesting prefix filter updates.  I 
was just told by one, that they'll accept whatever I request, only 
questioning it if someone complains to them about it.  The other, I 
haven't asked, but I assume they work similarly.  On the bright side, all 
of them are at least filtering.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Pesky spammers are using my mailbox

2003-06-01 Thread jlewis

On Sat, 31 May 2003, Stephen J. Wilcox wrote:

>  seems some spammers are using one of my personal domains as the from
> field in their emails, the local-part being random so I cant easily
> block it.
> 
> Has anyone any advice on tracking them down and making them stop?

Tactical baseball bat at close range? :)

I and a number of coworkers are getting similar bounces, except the 
spammers are actually using our full email addresses as the from address.  
The first few cases of this, I wrote off to things like KLEZ...but 
recently I've gotten actual spam bounces where my work email address was 
the original from.

I suppose it could possibly still be something like KLEZ and it's grabbing 
a spam from their inbox and sending that out with a forged from.


--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: dnsbl's? - an informal survey

2003-06-01 Thread jlewis

On Sat, 31 May 2003, Mr. James W. Laferriere wrote:

> > White listing comes with any blacklist. The blacklists in particular
> > being discussed were the @dynamics, like the PDL and dynablock at
> > easynet. Both lists quite clearly state how they build their lists and
> > what they are designed to block (dynablock only takes out dialup, and
> > PDL takes out all dynamic addressing).
>   Query ,  How is it determined that the address in question is
>   dynamic or not ?  Who/how/what makes that determination ?
>   This is the core of my concerns .

It's usually determined via in-addr.arpa, whois data, or direct
information from the provider.  When MAPS was freely available, I used to
periodically email them updates on our IP space (please add these dial
ranges, please remove these others).  I'm sure others did the same.
AFAIK, they had at least one FTE who's job it was to maintain the DUL.

Those large providers who stole copies of the DUL before MAPS pulled the 
plug on them, and continued to use them without maintenance still annoy 
me as we've run into issues multiple times with space removed from the DUL 
still being in their private copies.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: IANA reserved Address Space

2003-05-31 Thread jlewis

On Fri, 30 May 2003 [EMAIL PROTECTED] wrote:

> 1.0.0.0 /8
> 10.0.0.0 /8
> 100.0.0.0 /8
> 
> I need 3 distinct zones which is why I wanted to separate
> them out. In any case, I was wondering about the
> status of the 1 /8 and the 100 /8 networks. What does
> it mean that they are IANA reserved? Reserved for what?
> http://www.iana.org/assignments/ipv4-address-space

It means (like what has happened recently with 69/8 and others) that
they're not in use YET.  Eventually, they will go from Reserved to RIR
assigned and you will have reachability issues if your lab is ever
connected to the internet.

> Anyone else ever use IANA reserved address spacing for
> lab networks? Is there anything special I need to know?

There's an awful lot of RFC 1918 space.  How about using some of it?

http://69box.atlantic.net/

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: [ifl.net #3657] Contact at: DNSRBL / Namesystems

2003-05-27 Thread jlewis

On 27 May 2003, John R. Levine wrote:

> > Despite attempts to contact DNSRBL / Namesystems I'm not receiving
> > any response at all - has anyone on the list any useful contacts?
> > (www.dnsrbl.com) - please reply off list.
> 
> I know a lot of DNSBLs, and I've never heard of this one before, nor
> do I know anyone who uses it.

I've heard of it...can't remember why.  Perhaps just that they popped up
in http://www.sdsc.edu/~jeff/spam/cbc.html which I check from time to
time.  I haven't had the opportunity to look at their site much since it
does "Evil $hit"(TM) that doesn't render in Netscape for Linux and locks
up Opera for Linux.  I had to use Konqueror just now to see their site.

> If someone's using to block mail and you care about sending mail to
> that recieipient, I'd be more inclined to call the receipient and
> suggest he or she use some more competently run DNSBLs.

Or just ask them to whitelist you, but it is kind of annoying that dnsrbl 
would list your server as a spam source, without making any evidence 
available on their site suggesting what caused them to form that opinion.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




69/8 revisited

2003-03-28 Thread jlewis

I've setup a little web site with the results of my ping sweep to attempt 
to locate as many networks as possible with outdated bogon filters.

http://69box.atlantic.net/

If you can't reach that, fix your network...or use the alternative 
non-69/8 hostname http://not69box.atlantic.net/

Number of IP's currently known to have 69/8 filter issues: 683
Number of /24 networks's currently known to have 69/8 filter issues: 511

Check out the site and see if you recognize any of the IPs.  You can 
test/remove IPs if they've become reachable, or test/add IPs if they have 
69/8 filter issues.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Verizon mail server on MAPS RSS list

2003-03-27 Thread jlewis

On Thu, 27 Mar 2003, Josh Gentry wrote:

> We've got customers trying to receive email from people using Verizon for
> Internet acess, and we are rejecting that mail because
> out013pub.verizon.net [206.46.170.44] is on the MAPS RSS list.  Can't pull
> up the MAPS RSS website at the moment to check why.  Anyone know contact
> info for Verizon for this kind of issue?

MAPS RSS is a list of open relays, no?  It's a pretty good guess that the 
above mentioned server is therefore an open relay...and it's a correct one 
in this case.

http://www.njabl.org/cgi-bin/lookup.cgi?query=206.46.170.44
http://openrbl.org/ip/206/46/170/44.htm

If you're going to use a dnsbl, anybody's dnsbl, figure out how to 
whitelist first (or real soon after), because this sort of thing will 
happen from time to time.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net        |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



RE: how to get people to upgrade? (Re: The weak link? DNS)

2003-03-26 Thread jlewis

On Wed, 26 Mar 2003, E.B. Dreger wrote:

> CK> The way I see it, the issue isn't that there aren't enough
> CK> notifications of BIND vulnerabilities.
> 
> Perhaps.  But how much is enough?  Current notification levels
> certainly get a fair number of admins to upgrade.

The majority of those who don't keep up with security releases won't
unless their systems break or you personally notify them and explain the
problem to them...much like equipment with unmaintained bogon filters go
unfixed until you track down the responsible parties and thwap them on the
head.  Short of designing some kind of time bomb (make it possible to turn
it off in the config for those who simply can't upgrade and don't intend
to) such that after a certain age or other trigger, the code simply
refuses to run, the unmaintained systems simply aren't going to 
get upgraded

How hard would it be to have bind do some sort of secure.bind.isc.org
query at start-up or perhaps even periodically and have it log lots of
warnings or refuse to run if the query comes back and tells it the local
version has been deferred due to security updates?  One obvious problem 
with this would be that certain vendors prefer to backport security fixes 
to older versions rather than test and release new versions...so an 
insecure-looking version string may actually have had fixes applied.  
Perhaps the query could be for a timestamp that's defined in the source 
with the assumption that any code older than the most recent security 
update must be insecure.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: 69/8 revisited

2003-03-19 Thread jlewis

On Wed, 19 Mar 2003, Stephen Sprunk wrote:

> I'm wondering if there's something special about 69/8...  I can't recall
> this sort of discussion for 61/8 through 68/8, at least after CIDR in the
> former Class A space was initially validated.

For a very interesting comparison, do groups.google.com searches for 
69.0.0.0/8 and then for 61.0.0.0/8.  While the first is several pages of 
hits saying to block 69.0.0.0/8 as a bogon, all the links for 61.0.0.0/8 
seem to suggest blocking that /8 due to spam.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: 69/8 revisited

2003-03-19 Thread jlewis

On Wed, 19 Mar 2003, Scott Granados wrote:

> I've definitely noticed the steady decline in complaints in reachability.  I
> think though at some point it will be resolved, after all all the other
> blocks got squared away it seems, or is that an incorrect assumption?

I'd bet they're not all resolved...just mostly to the point that nobody 
cares.  Does anyone have a traceroute web page from another (not 69/8) 
block that recently went from reserved to RIR allocated?  I'd be 
interesting to see how many of the 69/8 unreachable IPs are unreachable 
from other reserved->RIR allocated blocks.

By the end of the week, I expect to have a system setup (big system with
lots of available bandwidth) where people can do simultaneous traceroutes
from 69 and !69 IPs and see the results side by side.  I've got this now
on my workstation and have included a link to it in most of the filter
update request messages I've sent, but I don't want all of nanog (much
less /.) hitting my workstation.  I also plan to put the reachability
database on that system and make the unreachable IPs viewable.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net    |  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: 69/8 revisited

2003-03-19 Thread jlewis

On Wed, 19 Mar 2003, Rick Ernst wrote:

> Their answer was basically that 69/8 (only) is where they are allocating from
> and that "from reading NANOG, it appears that much of the problem has been
> resolved."

I wonder what they based that ASSumption on?

The thread just sort of died...and now you've revived it.

> I haven't seen any updated information that 69/8 is now working for people.
> Is everyone just quiet about it, or have filters actually been updated making
> this a non-issue?

I've been busy with other things, so I haven't been able to spend as much
time on my 69/8 reachability project as I did the first few days.  I still
have a list of about 700 destinations reachable from 209.208/17 but not
from 69/8.  That's down from about 1000 when I did the first ping sweep.  
I know I've personally gotten half a dozen or so networks to update their
filtering.  I've also had several messages apparently go ignored (1 week
with no response and no filter update), two of which are US military
/16's.

A bunch of the remaining affected networks are in other countries where 
I'm afraid language is going to be a barrier.  This issue will likely 
never be entirely resolved.  Just hope your customers don't care about 
reaching the remaining affected networks.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: APNIC returning 223/8 to IANA

2003-03-17 Thread jlewis

On Mon, 17 Mar 2003, Leo Bicknell wrote:

> Just like the people who get 69/8 blocks should expect them to be
> fully usable as well, right?  Surely if one reserved /24 means you
> can return space and get new space assigned then the inability to
> reach some percentage of the internet is an even bigger, and more
> immediate concern that should warrant the same treatment.

I think all that really needs to happen here is an RFC update that 
unreserves 223.255.255.0/24.  RFC3330 already mentioned that the basis for 
this reservation was no longer applicable.  Someone at IANA just screwed 
up the order of events, as the block should have been explicitly 
unreserved before it was assigned.

On the same note, if you do a few google/groups.google.com searches,
you'll find that LOTS of people treat the networks marked as IANA-Reserved
in http://www.iana.org/assignments/ipv4-address-space in much the same way
as RFC1918 space, some even call them quasi-RFC1918 space.  A
groups.google.com search for 69.0.0.0/8 will turn up 5 pages of hits,
nearly all of which are firewall/ipf/ipchains/etc. config examples
recommending and demonstrating how to block, among other reserved nets,
69.0.0.0/8.

I'd like to strongly encourage IANA to reexamine all current IANA-Reserved
blocks, decide which ones will remain Reserved for the forseeable future,
and which are likely candidates for assignment to RIRs at any future date,
and update these to a more suggestive status such as
Future-RIR-Assignment.  Otherwise, we're going to repeat the 69/8 exercise
(signifigant parts of the net ignoring the space months after
assignment...some parts ignoring it likely for years) every time a net
goes from being IANA-Reserved to assigned to some RIR.  

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: [Fwd: FC: Email a RoadRunner address, get scanned by their

2003-03-16 Thread jlewis

I got the following personal message from Mark Herrick of rr.com (which
I'm passing along with his permission/request).  I hope (and I think he
hopes) that by passing it along, some questions can be answered and
misunderstandings explained.

In an additional message, he answered my question of "how does rr.com 
security define 'network owner'?" with the following URL.

http://security.rr.com/subdelegation.htm

So as long as space is swipped or documented in a publicly accessible
rwhois server, if you're a contact for the IP block, you should be
accepted as the 'network owner'.

BTW...for the time being, rr.com has stopped SMTP relay testing and is
focusing entirely on finding and blocking mail from open proxies that have
been used to spam their customers.
 
-- Forwarded message --
Date: Sun, 16 Mar 2003 12:56:30 -0500
From: "W. Mark Herrick, Jr." <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Your NANOG post


Hi Jon,

I was pointed to the thread on NANOG through another person, and I saw your 
post on the Merit website (below).

As I'm not subscribed to NANOG, and unfortunately I am prohibited (from a 
time resource standpoint, not administratively) from subscribing to that 
list at this time, but I thought that I'd comment on your post 
specifically, since it touched on more than one area. If you are so 
included, feel free to pass this along to NANOG, with my regards.

So, just to set one ground rule here - we're talking about proxy and relay 
testing, not full-out penetration testing. With that in mind...

To directly answer your first paragraph, you are absolutely correct - we 
have absolutely NO objection to open proxy or relay scanning of IP 
addresses from a system that either:

1. Has spam in hand (a la MAPS RSS).
2. Has received a direct connection from our subscriber IP address or SMTP 
server (a la AOL, Outblaze).

That being said, we have, and will continue to have, a severe issue with 
so-called 'scanning services', that *proactively* scan IP addresses (e.g., 
DSBL), or services that accept requests from anywhere to perform 
'on-demand' scans (e.g., hatcheck.org) without first requiring (and keeping 
on hand) proof (e.g., spam-in-hand) that the IP address is a source of 
spam, open to third party relay, or has an open proxy service.

At no time has Road Runner performed any PROACTIVE scanning on any IP 
address that does not belong to Road Runner.

Furthermore, we perform no REACTIVE scanning unless it meets one of the 
above criteria, and in addition, regardless of whether or not there has 
EVER been an issue with the network, we will not REACTIVELY scan ANY IP 
address when there is a request from the *network owner* that we do not do 
so. We have no wish to be abusive, and as such, we limit scans of an IP to 
one per week.

This is all clearly explained at http://security.rr.com.

You brought up another issue, which I *think* may be pointing to an 
argument that I had with Ron Guilmette some time ago, when his service was 
performing relay scans on our IP space or some such. I am fairly certain 
that this argument took place because I viewed Ron's scans to be proactive 
in nature.

Our stance on proactive scanning has not changed in the 5 years that I have 
been with Road Runner.

Anyways, as far as your last statement - since the inception of our 
scanning initiative (1st week in January), we have identified over 50,000 
open proxy servers. The problem is big, it's only getting bigger, and it's 
not going to go away, unfortunately.

Best,
Mark Herrick
Director - Operations Security
Road Runner








Re: [Fwd: FC: Email a RoadRunner address, get scanned by their

2003-03-14 Thread jlewis

On Fri, 14 Mar 2003, Jeff Kell wrote:

> > Basically, RoadRunner tried to spam themselves using my server.  I mailed 
> > [EMAIL PROTECTED] about this, and received a canned response, enclosed.
> > 
> > Under their logic, I feel entitled to poke and prod their customers, just 
> > to make sure they don't spam me.  Is that fair?  I promise to provide an 
> > opt-out if anyone complains.
> 
> Oh no, they'll bitch, at great length.  This was recently discussed on 
> SPAM-L ( http://peach.ease.lsoft.com/scripts/wa.exe?LIST=SPAM-L ).

Actually, if you go a few rounds with Mr. Herrick of rr.com, and explain 
that you want to do the same sort of testing under the same ground rules 
as security.rr.com, I think you'll find that he will not object.
 
It is quite ironic (perhaps a sign of how bad the problem of spam on the 
internet has gotten) that rr.com has decided to emulate those that they 
have attacked in the past.

I suspect we've gotten to the point now that there are more open proxies 
than open relays on the net, and it seems the proxies are more heavily 
abused.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




Re: cw to att? issue?

2003-03-12 Thread jlewis

On Wed, 12 Mar 2003, Scott Granados wrote:

> 
> Is there a good plac for a listing of the publically available
> route-servers?  I only knew of the oregon one.

http://www.traceroute.org/#Route Servers

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Question concerning authoritative bodies.

2003-03-12 Thread jlewis

On Wed, 12 Mar 2003, Ron da Silva wrote:

> Hmm...copy of centralized DNSBL + local DNSWL = local DNSBL ?  I guess
> the point is that centralized data is good in some sense, but utimately
> mirroring, copying, editing, or selective copy of that data will be done
> by operators in effect to create their own local DNSBL.

So where can we get copies of the AOL DNSBL? :)
I wonder how many MB the zone file is.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: 69/8...this sucks -- Centralizing filtering..

2003-03-11 Thread jlewis

On Mon, 10 Mar 2003, Ray Bellis wrote:

> Most people seem to think it would be impractical to put the root name
> servers in 69.0.0.0/8
> 
> Why not persuade ARIN to put whois.arin.net in there instead?  It
> shouldn't take the people with the broken filters *too* long to figure
> out why they can't do IP assignment lookups...

The vast majority of broken networks won't care/notice.  A few will assume
ARIN's whois server is broken.  How often do people on forgotten networks
in China and Albania use ARIN's whois server?

Take away the western Internet (all of gtld-servers.net) and they will 
notice the problem.  

>From a whois, it appears Verisign owns gtld-servers.net.  Do they own just 
the domain or all 13 gtld-servers as well?  Anyone from Verisign reading 
NANOG care to comment on the odds of Verisign cooperating and helping 
with the breaking in of new IP ranges?

Also, on a side rant hereWhy do all the RIR's have to give out whois
data in different, incompatible, referal-breaking formats?  The next step
in my work once my ping sweep is complete (looks like that'll be today) is
going to be to take a list of what looks like it'll be ~1000 IPs and
generate a list of the unique networks that are broken.  To do this, it'd
be nice if there were some key I could get from whois, store in a column,
select a unique set from, then reuse to lookup POCs from whois, and send
off the emails.

registro.br and LACNIC entries start with inetnum: using what I'll call
brief CIDR, i.e.
inetnum:  200.198.128/19

APNIC and RIPE entries start with inetnum:, but use range format.  i.e.
inetnum:  203.145.160.0 - 203.145.191.255

ARIN entries include fields like
NetRange:   128.63.0.0 - 128.63.255.255 
CIDR:   128.63.0.0/16 

The APNIC and RIPE NetRange/inetnum fields are easy enough to deal with, 
but send a whois request for 200.198.128/19 to whois.arin.net and you get 
"No match found".  Send it as 200.198.128, and whois.arin.net will refer 
you to whois.lacnic.net.  Send it to whois.lacnic.net as 200.198.128, and 
you get "Invalid IP or CIDR block".

I realize programming around all this is by no means an insurmountable
task, but it is a pain.  It'd be ideal if there were a unique key field,
say Net-ID included in the whois output from all the RIR whois servers
that could be used to identify the network and the appropriate whois
server.  i.e.

NetID: [EMAIL PROTECTED]
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




Re: scope of the 69/8 problem

2003-03-11 Thread jlewis

On Tue, 11 Mar 2003, Stephen Sprunk wrote:

> Come on, you're asking the root and/or TLD operators to renumber their
> servers -- not a trivial task -- every few months to intentionally disable
> their own service for what amounts to an academic experience.

Not for academic experience, but to encourage people to fix their broken 
filters.  And while renumbering a large network might be non-trivial, 
changing the IP or adding an IP alias on 13 individual servers should be 
a trivial operation.

> These folks are in the business of running a critical system that requires
> 100% uptime for hundreds of millions of users, and they do a damned good
> job.  Let them do it in peace, and find some other "must have" service (like
> porn) to put in 69/8.

100% uptime for the service, not for each individual server.

So now the 69/8 holders, in addition to driving a campaign to get others 
to fix their networks, should offer free hosting to porn sites?  How about 
free hosting for spamvertized sites?...oh wait, that might make the 
problem worse :)
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Question concerning authoritative bodies.

2003-03-11 Thread jlewis

On Tue, 11 Mar 2003, Ron da Silva wrote:

> Hmm...I would argue that every operator needs to run their own DNSBL.

Can you elaborate on why?  IMO, there are definite benefits to 
centralized, shared DNSBLs, especially if testing is involved.  Many can 
benefit from the work done by a few and not have to duplicate the work.

If you only DNSBL IPs after you receive spam from them, you have to get 
spammed by every IP before it's blocked.  Why not reject mail from IPs 
that have spammed others before they spam you and your customers?  Though 
I have problems with the way it's been run, I think that's the idea behind 
bl.spamcop.net.  If they could just restrict nominations to a more clueful 
group of users, such a system could be very effective for blocking spam 
everywhere as soon as one system gets hit.  For spam from open relays and 
proxies, a centralized DNSBL that tests the IPs that talk to servers using 
it can be just as, if not more, effective.

> It would be very difficult to convince any operator to give up control
> of defining their own DNSBL (or even not having one at all).

You can use a central DNSBL without giving up total control.  Shortly 
after I configured servers to use a DNSBL for the first time, I recognized 
the need for a local DNSWL and have continued to use one ever since.  When 
I setup other people's servers to use DNSBLs, I help them setup a DNSWL 
and explain how to maintain it.
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_




RE: Move all 9-1-1 to 8-5-5

2003-03-11 Thread jlewis

On Tue, 11 Mar 2003, Mark Segal wrote:

> Yes.. But most people don't run translations for all NPA-NXXs on their 4
> line PBX

And your misconfigured PBX won't likely stop me from calling you...just 
you from calling me.  Bad bogon filters stop or prevent traffic in both 
directions.

If anyone has a better idea for shifting the burden to and thus creating 
motivation for those with broken filters to fix them now, by all means, 
share your idea.

If you don't have a better idea yet, go ask ARIN for some space.  They
have lots of 69/8 left.  Maybe when you're in the club, you'll be more
motivated to think of ways to quickly encourage others to fix their
networks.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_____ http://www.lewis.org/~jlewis/pgp for PGP public key_



RE: 69/8...this sucks

2003-03-10 Thread jlewis

On Mon, 10 Mar 2003, Frank Scalzo wrote:

> We don't need the adminstrative headache of ICANN/ARIN/RIRs on this.
> Someone could just do it with a private ASN and advertise the route with
> an arbitrarily null routed next-hop.

That's a non-solution that will never happen.  How many networks are going 
to trust joe somebody to inject null routes into their backbone?  Will 
UUNet/Sprint/C&W/Level3/etc. trust me or Rob to tell them what's a bogon 
and what's not?  I really doubt it.  They might have an easier time 
trusting their local RIR, but I wouldn't be surprised if they didn't.

I realize this sort of thing worked early on with the RBL, but that was 
for a different purpose.  For those who took the RBL via BGP, I suspect 
the benefit of blocking spammers from their networks outweighed the risk 
of RBL abuse and people trusted Vixie to be objective and honest. 

> That doesn't solve the problem of bad filters on firewalls.

Several people pointed that out earlier.  Botched / outdated firewall 
configs may be a bigger problem than BGP filters.  For a glimpse at why, 
see
http://groups.google.com/groups?q=69.0.0.0%2F8&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search

> The problem is lots of books/webpages/templates/etc. say filter bogons.
> People not smart enough to understand the responsibilities of doing so
> implement it and forget it. Instead of trying to beat up on the large

Worse is that there are pages and pages full of links to usenet posts with
these outdated bogon filters.  Books and web pages can be updated.  The
usenet archive isn't going away and won't be revised.  People who don't
know any better are going to continue to misconfigure bogon filters
indefinitely unless something is done to periodically whack some sense
into them.

> Funny the media gets all excited about BGP security and dDos attacks
> against a root nameserver yet no one ever seems to mention the real
> scalability issues like that we can't allocate large parts of the net
> because many network operators aren't bright enough to update filters.

I know some writers watch nanog for potential stories.  Wake up guys, this 
should be one...if not for the news value "ARIN gives out unusable IPs, 
future of the Net in question", then at least for the public service value 
of getting the word out that bogon filters need to be maintained and kept 
up to date or they do more harm than good.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



  1   2   >