wanted: server hotel location(s) in SE,GR
Hi, I was wondering if anyone knew of server hotel locations in Sweden or Greece. More generally, if there is a good resource for me to look this up myself next time. Thanks in advance, Travis -- URL:https://www.subspacefield.org/~travis/ Q: Who Would Jesus Waterboard? A: Matthew 5:38-42 For a good time on my email blacklist, email [EMAIL PROTECTED] pgp45I2hd9DcC.pgp Description: PGP signature
wanted: offshore hosting
Hello all. Last time I asked for a hosting place, I ended up going with LayeredTech, but I can give you a list of options if you like. So, I'd like to rent a box somewhere outside of the US, for geographic redundancy and other reasons. Must be dedicated hosting, relatively cheap bandwidth, lots of space (500GB?), allow us to run Debian Linux, take US credit cards. No tech support other than rebooting the box needed. I'd prefer if they spoke English, but weren't in the UK or US. I could deal with it if they only spoke Spanish. A reputable Brazilian shop would be nice, but I'm pretty open to any suggestions. Does anyone have good experience with any outfits that match this description? Thanks! -- URL:http://www.subspacefield.org/~travis/ Eff the ineffable! For a good time on my UBE blacklist, email [EMAIL PROTECTED] pgplsLpw55xr2.pgp Description: PGP signature
Re: Detecting parked domains
Although the original poster did not state a reason for why they wanted to detect such a domain - others have since suggested that the web site content on such a "parked domain" is of no (original) value since only ads run on such a site.By that definition all billboards or stand alone advertising has no intrinsic content value. That complaint is justified only if you are lured into such a site under false pretense - such as by the site owner's active efforts at search engine pollution - so the "offending" behaviour has to go beyond simply running ads on a "parked domain" to which you may not have been solicited.Mistyping or typing in domain names and ending on such a site is a grey area - for example you dont blame the owner of a misdialed phone number for running any service they like on such a number just because it is two digits transposed from a "well known" or your otherwise intended phone number. That can go both ways - several cases of the wrong toll free number getting flooded with calls or the storied error from the 2004 US Presidential campaign when the Republicans sent the TV audience off to a Democratic leaning web site. Yes, there are some speculators that are counting on user errors of omission or commission but an algorithmic divining of what the intent is is problematic.Domain names are the "real estate" of the 21st century. You may wish to acquire a property for its "location", rent it to someone else now, and only wish to use it for your own use in the future. You could just leave it unoccupied. This would only be considered a problem if you engaged in deceptive advertizing outside that property to lure someone in and tried to sell them something else.That said, search engines do have their own heuristics on how to rank such pages "lower" in search results. Any articles that describe how Google's page ranking works talks about ratio of native content to hyperlinked content, number of outbound links to inbound links etc, number of links to other pages on the same site (many "parked domains" are single page sites but the reverse is not always true)Finally, if you have registered a domain lately - the web site associated with the domain is automatically associated with a "parked" page by most registrars (Network Solutions, Yahoo!, GoDaddy) immediately upon completion of registration and they run their own (revenue accruing to the registrar) ads on it till such time as you configure your own DNS servers and point it elsewhere. The maligned "middleman" comes into the picture later.I am as frustrated as the next person when I end up on a site that lured me in with clever manipulation of keywords and search engine optimization - only to show me ads - but I would be loath to paint all "parked domains" with a broad brush. Parked: A domain hosted by a middle-man for the sole purpose of generating revenue from pay-per-click advertising. Characterized by having no content of value.
Re: Sitefinder II, the sequel...
Divining user intent is better handled in the user application where such intent was stated rather than in the infrastructure (DNS)If the service wants to help (human) users find their way to the web sites they "intended" to get to .. isn't a better solution the one already offered by many search engines- which is to prompt the user with a questionDid you mean ... ( offers corrected spelling) ?Perhaps you meant to go to (list of sites follows) ?This alerts the user that they made a mistake, and lets them pick another action from the application they used in the first place (application local behaviour)If so, the solution belongs in the browser and not in DNS where it may have unintended consequences. Some browsers will let you specify the action that should follow if the URL in question could not be found, and if not this functionality could be rolled into a useful plugin or extension. (Yes, this approach is not without its detractors - http://news.com.com/Microsoft+gives+error+pages+new+direction/2100-1023_3-272578.html ) ~
RE: DNS Based Load Balancers (redux)
Stepping back for a moment...Many (most) popular services end up in multiple data centers first because they want to get diversity (of data centers, of ISPs, maybe of pricing). All mission critical sites will be designed such a subset of these data centers can take their entire load if need be.Once spread out this way - you may need to run some or all of them in an active/active configuration so you need to balance load between them in some fashion between them.If you are going to split the load - a natural desire is to split it such that it actually increases performance for users. You figure network proximity (of the end user to the serving destination) ought to be a criteria -but the load on your cluster may be more important for personalization intensive sites.You start with round robin DNS but it leaves you unsatisfied along the way. You play around with souped up DNS servers that are fed with monitoring tools that measure reachability as well as some measure of load. You also discover that the most popular browser will gladly ignore your TTL settings and insist on sending your traffic to the data center that is down. You are frustrated when you find out that users of ISP A are being served out of your Data Center at ISP B, even though you have a data center connected to ISP A. You think Anycast might be the answer but not everyone is set up to do Anycast. You find some clever people have been aggregating data that will offer to geolocate your callers IP addresses and maybe there is a way to use that information to find the nearest server. You realize the accuracy of this list is dubious, the exchange points for several countries may actually be on the coasts of the United States, and how would you integrate this into your DNS or HTTP redirector, while still doing 2 shift day job.You turn to alternatives, and find the shiny boxes and/or services called the GLBS. They perform 2 main services.First, they hand out answers, which may vary in time and space, to your clients as to where to find the service they are looking for.Second, they decide what this "right" answer is.You post to NANOG and you get admonished about their efficacy on both counts. This is initially wrapped in appeals to love of God and country and general harm that might befall mankind but no one says what or why.On reflection, objections to the first part of this are usually along the "strict constructionist" point of view. No real harm comes from returning changing answers but when the Man who wrote the book jumps in with both feet you take pause. He chides people for using stupid tricks. You wonder if they are stupid in the same way as the "For Dummies" series of books is not really for dummies.Objections to the determination of what the "right" answer is are more vociferous. Some immediately take the view that since the question was about DNS based load balancers, the inference was that the GLBS must be using DNS logistics to decide what the right answer is, even though DNS may simply be used to "right communicate the right answer ( the first part) , but not calculated ( the second part).The GLBS may indeed be using some measure of server load, or even BGP derived network maps, or some other knowledge of topology or proximity but that gets drowned in the "the proximity of the DNS resolver to the GLBS is not a proxy for the actual end user". The latter is actually strictly true, and it is difficult to argue given the specific examples of where it fails, but no one is able to say how many times in normal use this technique actually returns a bad answer.You even hear from a man with one leg in US and one in Europe using a split tunnel VPN who wonders why when he orders Pizza using his tunnel to the HQ back in Europe, he doesn't get greasy satisfaction back in the US. You wonder what happens when he calls 911 on his VOIP phone, without having manually configured his PSAP in that configuration, but you have other problems to worry about at the moment. You also hear about the "AOL Proxy" effect masking all users behind it. Well actually you don't hear that, but someone should have chimed in about that.You hear some mumbling about the use of AS path lengths or a geo-location database of end user IPs not being a true measure. Yet you wonder if the Internet is actually not getting more stable everyday and that the nominal topology and the AS Paths for the more heavily trafficked routes may actually not change that rapidly in normal course.You also hear from others who have been using variations of GLBS for several years, and have even created large businesses by serving their customers this way. Their web sites are full of gleaming testimonials from these customers. Some one says no one got fired for using the GLBS... You wonder if those customers just bought insurance. You scratch your head some more. You w
Re: Who wants to be in charge of the Internet today?
Now we are all allowed the occasional fun at the management lacking a clue - but come on. The users have an expectation that their "access to the Internet" works like a utility. When you say the "power is shut off" you don't expect to expand on whether the power grid in your state had a cascading failure but people on the other coast still have power and when your "water supply is shut off" does not mean that all the people in the world can't get a drop.It just means that her "Internet is off" and as far as she is concerned the whole Internet/Power/Water supply might as well be "off"p.s768 OC-192s worth of Internet traffic can indeed be carried on a single DS1 if the "Internet is off " :-)- Original Message From: Peter Ferrigan [EMAIL PROTECTED]To: nanog@merit.eduSent: Friday, June 23, 2006 7:04:18 AMSubject: Re: Who wants to be in charge of the Internet today?At one of my old jobs, my boss honestly believed that we had a 'switch' that turned the entire internet off or on.When she was having problems accessing her shopping sites, she'd storm in the office and say something like 'did you guys turn the the internet off again?'sighThen again, this is the same person that tried to tell me that 768 OC-192s are carried on a single DS1..- PeterOn Fri, 23 Jun 2006, Patrick W. Gilmore wrote: On Jun 23, 2006, at 12:45 AM, Sean Donelan wrote: I shudder to think what would happen under large scale attack if one of the CEOs in that room had "responsibility" for the correct functioning of the "Internet". This definitely falls into the "Just Doesn't Get It" category. -- TTFN, patrick
Re: IP failover/migration question.
You dont say who the "clients" are - I presume this is a web based application so essentially you are trying to migrate service in flight to another set of servers within the TCP/HTTP session timeout without the client missing a beat ?If another kind of client, does it also have auto reconnect/retry logic built in for service restoral if the connection timesout ?Is the session/host state worth preserving for communication between the servers in the cluster or between the clients and the service also ?I know of people who have been able to do this on LANs using SANs to store shared host states and having a new VM pick up the connections, but on an internet-wide scale you are likely looking only at a probabilistic guarentee assuming that your routing would always converge in time and packets start flowing to the Disaster Recovery (DR) site.This is much easier if you can stick within a single AS ofcourse. Others will be able to answer whether these routing changes will attract dampening penalties if you have to pick providers in different ASes.Assuming all of that doesnt matter, then a somewhat cleaner way to do this would be to advertize a less specific route from the DR location covering the more specific route of the primary location. If the primary route is withdrawn, voila .. traffic starts moving to the less specific route automatically without you having to scramble at the time of the outage to inject a new route.Andrew Warfield [EMAIL PROTECTED] wrote: I've got a bit of a network reconfiguration question that I'mwondering if anyone on NANOG might be able to provide a bit of adviceon:I'm working on a project to provide failover of entire cluster-based(and so multi-host) applications to a geographically distinct backupsite. The general idea is that as one datacentre burns down, a liveservice may be moved over to an alternate site without anyinterruption to clients. All of the host-state migration is doneusing virtual machines and associated magic; I'm trying to get a moreclear understanding as to what is involved in terms of moving the IPs,and how fast it can potentially be done.I'm fairly sure that what I would like to do is to arrange what iseffectively dual-homing, but with two geographically distinct homes:Assuming that I have an in-service primary site A, and an emergencybackup site B, each with a distinct link into a common provider AS, Iwould configure B's link as redundant into the stub AS for A -- as ifthe link to B were the redundant link in a (traditional single-site)dual-homing setup. B would additionally host it's own IP range, usedfor control traffic between the two sites in normal operation.When I desire to migrate hosts to the failover site, B would send aBGP update advertizing that the redundant link should becomepreferred, and (hopefully) the IGP in the provider AS would seamlesslyredirect traffic. Assuming that everything works okay with thevirtual machine migration, connections would continue as they were andclients would be unaware of the reconfiguration.Does the routing reconfiguration story here sound plausible? Doesanyone have any insight as to how long such a reconfiguration wouldreasonably take and/or if it is something that I might be able tonegotiate a SLA for with a provider if I wanted to actually deploythis sort of redundancy as a service? Is anyone aware of similarhigh-speed failover schemes in use on the network today?Thoughts appreciated, I hope this is reasonably on-topic for the list.best,a.
Re: MEDIA: ICANN rejects .xxx domain
What are they talking about? .XXX already exists: %dig ns xxx @g.public-root.com ; DiG 9.3.2 ns xxx @g.public-root.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 65 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;xxx. IN NS ;; AUTHORITY SECTION: xxx. 172800 IN NS eugene.kashpureff.org. xxx. 172800 IN NS ga.dnspros.net. ;; ADDITIONAL SECTION: ga.dnspros.net. 172800 IN A 64.27.14.2 ;; Query time: 2 msec ;; SERVER: 199.5.157.131#53(199.5.157.131) ;; WHEN: Fri May 12 18:12:48 2006 ;; MSG SIZE rcvd: 100 Oh, sorry - you mean in the restricted USG root where ICANN actually has to approve new TLDs rather than just doing the technical coordination (the ONLY thing they were tasked to do in the first place). Freedom/Free Market Score: Inclusive Namespace: INFINITY, ICANN: ZERO
Re: MEDIA: ICANN rejects .xxx domain
Splintering the namespace is a convenient excuse that ICANN uses to engage in restraint of trade and excessive regulation. ICANN was never given the right to regulate entry into the industry, only to be a technical coordinator. Calling people kooks is a good way to get sued, but it doesn't add anything useful to the debate. - Original Message - From: Warren Kumari [EMAIL PROTECTED] To: John Palmer (NANOG Acct) [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, May 12, 2006 5:38 PM Subject: Re: MEDIA: ICANN rejects .xxx domain On May 12, 2006, at 3:26 PM, John Palmer (NANOG Acct) wrote: What are they talking about? .XXX already exists: No it doesn't, see below: dig ns xxx @g.LookMaICanAlsoSplinterTheNameSpace.com ; DiG 9.2.1 ns xxx @10.24.0.7 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 3245 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;xxx. IN NS ;; AUTHORITY SECTION: . 86400 IN SOA Kook.LookMaICanAlsoSplinterTheNameSpace.com ;; Query time: 4 msec ;; SERVER: g.LookMaICanAlsoSplinterTheNameSpace.com#53(192.0.2.1) ;; WHEN: Fri May 12 15:34:17 2006 ;; MSG SIZE rcvd: 96 And this is exactly why there should be only 1 namespace. W %dig ns xxx @g.public-root.com ; DiG 9.3.2 ns xxx @g.public-root.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 65 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;xxx. IN NS ;; AUTHORITY SECTION: xxx. 172800 IN NS eugene.kashpureff.org. xxx. 172800 IN NS ga.dnspros.net. ;; ADDITIONAL SECTION: ga.dnspros.net. 172800 IN A 64.27.14.2 ;; Query time: 2 msec ;; SERVER: 199.5.157.131#53(199.5.157.131) ;; WHEN: Fri May 12 18:12:48 2006 ;; MSG SIZE rcvd: 100 Oh, sorry - you mean in the restricted USG root where ICANN actually has to approve new TLDs rather than just doing the technical coordination (the ONLY thing they were tasked to do in the first place). Freedom/Free Market Score: Inclusive Namespace: INFINITY, ICANN: ZERO Life is a concentration camp. You're stuck here and there's no way out and you can only rage impotently against your persecutors. -- Woody Allen
RE: Verizonwireless.com Blacklisted SMTP
There is no 'might' about it; VZ (aka VZ Telecom, VOL, VZBusiness) != VZ Wireless They are 2 completely different operations and networks. - Wayne From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris RilingSent: Tuesday, April 25, 2006 3:30 PMTo: nanog@merit.eduSubject: Re: Verizonwireless.com Blacklisted SMTP Correct, the only thing I pulled out was our particular IP address; I've proven this true from multiple box's on Cogent's network that are unrelated to my workplace. I did go through that Verizon Online Whitelist procedure, and got a response saying that it has been approved and will be changed within 72 hours, but as someone mentioned before, VOL might != VZW... Thanks,Chris On 4/25/06, Suresh Ramasubramanian [EMAIL PROTECTED] wrote: On 4/25/06, Frank Bulk [EMAIL PROTECTED] wrote: This posting on broadbandreports.com might add some background to your issues: http://www.broadbandreports.com/shownews/73818Verizon (broadband etc) != VerizonwirelessDifferent mail farms and all The error returned seems reasonably clear - except for munging of IPs by the OP554-Your access to the VZW mail systems has been rejected due to the sending554- MTA or Network Service Provider's poor reputation/ e-mail hygiene on the Internet.554-554-Please reference the following URL for more information:554-http://www.senderbase.org/search?searchString=
RE: VZ Maryland contact needed
William, Should be back online as of this afternoon. There was a faulty network component that impacted DSL service in the MD area. - Wayne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Warren Sent: Monday, March 27, 2006 1:14 PM To: nanog Subject: VZ Maryland contact needed I have a client who's been offline all day. The dsl line is fine and their modem and firewall are also fine but data is not making it to them. All traffic to midatlantictime.net seems to get hung up at 130.81.10.226. I have tried from California, and two locations in Maryland and Texas. Sincerely, William Warren -- My Foundation verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
Google AdSense Crash
Google Adsense has been down for several hours now. This is the interface that partners use to manage their advertising settings.
Re: Google AdSense Crash
OK - more: Don't have an answer as to why, but the website comes up with: The Google AdSense website is temporarily unavailable. Please try back later. We apologize for any inconvenience. This is a big deal and it is operational in nature. - Original Message - From: Daniel Golding [EMAIL PROTECTED] To: 'william(at)elan.net' [EMAIL PROTECTED]; 'John Palmer (NANOG Acct)' [EMAIL PROTECTED] Cc: 'nanog' nanog@merit.edu Sent: Saturday, April 22, 2006 3:58 PM Subject: RE: Google AdSense Crash -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net On Sat, 22 Apr 2006, John Palmer (NANOG Acct) wrote: Google Adsense has been down for several hours now. This is the interface that partners use to manage their advertising settings. And this is reported on nanog because...? Because this is the Internet's most profitable advertising service and ISP's will get complaints if their customers (esp. business customers) can't reach it, even on the weekend. Outage reports are operational, unlike many threads. More, please. Daniel Golding
Re: DNS Amplification Attacks
That ISPs still do not filter inbound traffic from their customers to prevent source spoofing is amazing. Done closer to the ingress edge this filtering shouldnt be that expensive. Not everyone will do it, but atleast it will limit the places from where source address spoofing attacks originate.The administrative burden arguments dont fly - a list of routes and IP address assignments per customer is already maintained both by ISPs and the customers -and route filters access lists are routinely automated. So beyond laziness - are there any technical reasons why this causes problems for anyone ?Gadi Evron [EMAIL PROTECTED] wrote: In this paper we address in detail how the recent DNS DDoS attacks work.How they abuse name servers, EDNS, the recursive feature and UDP packet spoofing, a s well as how the amplification effect works.Our study is based on packet captures (we provide with samples) and logs from attacks on different networks reported to have a volume of 2.8Gbps. One of these networks indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers.In the conclusions we also discuss some remediation suggestions.Given recent events, we have been encouraged to make this text available at this time.URL: http://www.isotf.org/news/DNS-Amplification-Attacks.pdfPlease note that this version of this paper is prior to submission for publication and that the final version may see significant revisions.Thanks,Randy Vaughn and Gadi Evron.
Re: DNS TTL adherence
Title: DNS TTL adherence Although you asked for DNS servers - it helps to remember that no matter what the servers and resolvers do - IE will bring that behaviour to naught in many caseshttp://support.microsoft.com/default.aspx?scid=KB;en-us;263558"Thurman, Steven" [EMAIL PROTECTED] wrote: Does anyone know if there is a research paper or statistics related to what percentage of DNS servers do not adhere to advertised TTLâs? I am looking for some verifiable research on this topic if it is available. Thanks, Steve
APC NetworkAir FM series
Wanted to know thoughts on the APC Network FM series for cooling datacenters? If this is the wrong place for this topic, I apologize. Thanks
RE: anybody here from verizon's e-mail department?
Or he hasn't paid his fair share to ride our pipes! :-P ducks - Wayne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Suresh Ramasubramanian Sent: Wednesday, February 22, 2006 1:29 AM To: Dennis Dayman Cc: nanog@merit.edu Subject: Re: anybody here from verizon's e-mail department? On 2/22/06, Dennis Dayman [EMAIL PROTECTED] wrote: No, but I have forwaded this to the abuse team I used to work in. Some of them are also on Z. Normally this is because the MAIL FROM: failed or rejected sender verfication. Which probably means Paul is blocking whatever server Verizon is using for its sender verification -- Suresh Ramasubramanian ([EMAIL PROTECTED])
RE: anybody here from verizon's e-mail department?
First, I'm not on the mail team, so I can't help you directly. Second, your best bet is to attempt contact thru the following web form: www.verizon.net/whitelist - Wayne ___ Wayne Gustavus, CCIE #7426 IP Operations Support Verizon Internet Services ___ Can you ping me now? Good! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Tuesday, February 21, 2006 12:58 PM To: nanog@merit.edu Subject: anybody here from verizon's e-mail department? last week i became unable to send mail to verizon users: Diagnostic-Code: X-Postfix; host relay.verizon.net[206.46.232.11] said: 550 You are not allowed to send mail:sv18pub.verizon.net (in reply to MAIL FROM command) (the above was from me trying to ask [EMAIL PROTECTED] about it) i'd hate to think that i've simply sent too many why-are-you-spamming-me complaints and have been blacklisted.
Re: Quarantine your infected users spreading malware
On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed... [snip] I'll update on these as I find out more on: http://blogs.securiteam.com This write-up can be found here: http://blogs.securiteam.com/index.php/archives/312 Ah yes, the old self-promotion trick. You know, I get some ads for [EMAIL PROTECTED] that sound pretty good until I have to click on thier link to get more information. Moderators: doesn't this border on spam?
RE: Anyone heard of INOC-DBA?
To chime with my own experiences, the few times I have used the INOC-DBA system for an Inter-provider issue have been quite successful. The results were much faster and much less frustrating that calling through the 'front door' of the provider's NOC. And it is fair to say that the system only gains usefulness with wider implementation among network providers and appropriate deployment of the phones within the organization. Within Verizon, I deployed the phones with our IP-NOC (yes, we have *many* NOCs, but only 1 handles IP issues), with our IP escalation team (TAC), and on my desk (footnote: my desk recently moved and haven't gotten the inoc-dba phone back up on the new net infrastructure). In light of recent purchases by VZ, if none of the above methods work, just call Chris Morrow. Just kidding Chris! :-) - Wayne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher L. Morrow Sent: Friday, February 03, 2006 4:31 PM To: Richard A Steenbergen Cc: Sean Donelan; nanog@merit.edu Subject: Re: Anyone heard of INOC-DBA? On Fri, 3 Feb 2006, Richard A Steenbergen wrote: And then of course there is that whole using the IP network to contact someone about an IP network issue thing that doesn't seem terribly well thought out... Admittedly I haven't looked at the INOC-DBA stuff in a while, there could have been some massive advancement that I'm not aware of, but I suspect that the situation is still more work needed. Existing phone systems, call centers, and engineers with cellphones, seems to be a much safer bet right now. there is no one solution... to anything except 'life' (solution == death). So, how about looking at it as a tool to use. You might have your provider's $Person_for_Problem in your cell phone, use that if you can. Use their Customer Service number or use their INOC number putting down a project that does work because it's not the holy grail isn't productive.
RE: Password Security and Distribution
Our company is starting to grow rather quickly and we are starting to have growing pains. We are in the need for a better mechanism for sharing passwords between our engineers. I wish there was a system that let you do the following: * Store and encrypt logins/passwords and access logs in a database * Assign permissions (add new logins/passwords, change password...) to those passwords on a per user/group basis, based on an existing authentication scheme (Windows AD, LDAP, Kerberos...) * SSL web frontend * Reporting. If a user leaves and you want to know which passwords he had access to or has ever accessed so you can change them, this would be really really nice. I've been playing around with Network Password Manager from www.sowsoft.com. It seems like the best product available in this area that I could find that makes sharing passwords kinda easy, but it's a service that runs on Windows, requires a Windows client software installation, and lacks any sort of reporting.
NOC Contact for Tonline.de
Anyone from Tonline.de on the list or anyone have a contact for them? It appears they have outdated bogon filters that are blocking some of our customers. PLease contact off-list, thanks. ___ Wayne Gustavus, CCIE #7426 IP Operations Support Verizon Internet Services ___ Can you ping me now? Good!
Re: Biggest operational ISP in Israel?
On Wed, 21 Dec 2005, Hannigan, Martin wrote: Who is the biggest operational NSP in Israel? Thanks, Martin Hi Martin What is your metric for biggest ? There always seems to be more than one claiming to be the biggest ... -- Rafi P.S. FYI: IIRC international data bandwidth in Israel costs on the order of 16 times the costs in EU - so I'm not sure how good a metric that is :-(
RE: New Rules On Internet Wiretapping Challenged
The 1994 law will have a devastating impact on the whole model of technical innovation on the Internet, said John Morris, staff counsel for the Center for Democracy and Technology in Washington, which filed an appeal of the rules with the U.S. Court of Appeals for the District of Columbia Circuit yesterday. The Internet evolves through many tens of thousands, or hundreds of thousands, of innovators coming up with brand new ideas, he said. That is exactly what will be squelched. Implementation of the mechanisms for compliance is relatively straightforward. Depending on how scalable and/or automated the mechanisms are, the complexity certainly increases. However, I hardly agree that including these requirements in the design of the network hardware or architecture equates to the 'squelching' of innovation or a 'devastating impact' on the Internet. Especially when compared to the alternative of providing an unfettered command control communications network for the miscreants. ___ Wayne Gustavus, CCIE #7426 IP Operations Support Verizon Internet Services ___ Can you ping me now? Good!
RE: SBC/ATT + Verizon/MCI Peering Restrictions
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barak Sent: Wednesday, November 02, 2005 2:18 PM To: NANOG list Subject: Re: SBC/ATT + Verizon/MCI Peering Restrictions snip like to point out for the record that none of the recent depeering battles have involved any RBOCs... Which makes sense when you consider much of the current traffic flows. It gets even more interesting when you look at the fast-increasing number of fat FiOS pipes. When you take (edonkey/kazaa/ptp-du-jour)+FiOS you get a network of distributed 'content providers'. Reference the earlier post about broadband getting a lot less interesting w/o the content. Well this rings true when you weigh the traffic load of 100K's of users poking around in a portal vs. 100K's of users 'shopping' for music movies! ___ Wayne Gustavus, CCIE #7426 IP Operations Support Verizon Internet Services ___ Can you ping me now? Good!
Re: h-root-servers.net
No, why don't you stop insulting people, Niels. You attack Peter because of his involvment in the Inclusive Namespace. FYI: Public root servers are online and available. Maybe the h-root ops should ask the P-R technical committee for assistance if they cannot keep their servers up. - Original Message - From: Niels Bakker [EMAIL PROTECTED] To: Peter Dambier [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Sunday, October 23, 2005 3:48 PM Subject: Re: h-root-servers.net * [EMAIL PROTECTED] (Peter Dambier) [Sun 23 Oct 2005, 22:34 CEST]: I know of one host here in germany who can see h.root-servers.net. That host is living in a KPN data centre directly connected to Amterdam IX. Peter, please stop posting nonsense. -- Niels.
Re: Verizon outage in Southern California?
- Original Message - From: Hannigan, Martin [EMAIL PROTECTED] To: Matthew Black [EMAIL PROTECTED]; NANOG [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 4:35 PM Subject: FW: Verizon outage in Southern California? 507 E LEW is holding the most switching gear is likely a tandem. Um, I think this is the tandem code, PNTCMIMN50T, and it's servicing about 20 areas. Uhh, think you might have the wrong CLLI code. PNTCMIMN50T is in Pontiac, Michigan and yes, it is a tandem.
Re: Cogent/Level 3 depeering
On Wed, 2005-10-05 at 06:01:15 -0400, Richard A Steenbergen proclaimed... I guess the earlier reports of (3)'s lack of testicular fortitude may have been exagerated after all. :) Luckily, many of us have ipv6 tunnels that managed to help us get around this. See, ipv6 has a purpose, afterall! :-)
Corruption and Monopoly is the real Issue (was Re: Turkey has switched Root-Servers)
Is your problem that it takes X months/years to get a new TLD put into the normal ICANN Root system? Or is it that you don't like their choice of .com and want .common (or some other .com replacement?). There is a process defined to handle adding new TLD's, I think it's even documented in an RFC? (I'm a little behind in my NRIC reading about this actually, sorry) Circumventing a process simply because it's not 'fast enough' isn't really an answer (in my opinion atleast) especially when it effectivly breaks the complete system. No, the process is locked up by monopolistic ICANN. There is one issue no one has mentioned lately. There are people who have spend hundreds of thousands of dollars developing their TLD properties and they are effectivly being shut out of the market by ICANN. We shouldn't need ICANN's permission to operate our TLDs and if ICANN wont support our TLDs, then we need an alternative way to operate our businesses. We have a right to operate our TLDs and the Inclusive Namespace is the way, since it does not force us to pay protection money or force us to impose the horrid UDRP on our customers. A free market system would allow all business models to exist. ICANN and its bureaucracy is not needed, just a contractor to maintain the root zone file. ICANN was supposed to be a bottom-up, democratic, consensus driven organization and board members (a significant portion of them) elected by the internet citizens of the world. Almost before the ink was dry on the MOU, ICANN, under Mr. Roberts began backing down on their responsibility to operate the organization in a democratic way. Now very few (if any) of the board members are directly elected by internet citizens. The result: ICANN is a corrupt monopoly that attempts to shut out competitors. If they want something, the steal it, just like they stole .BIZ from Leah Gallegos. THAT is the problem with ICANN, and you know damn well it is.
Re: PBR needing to hit the cpu?
On Sat, 17 Sep 2005, Tony Li wrote: That's not at all surprising. PBR would be pretty hard to push into a hardware forwarding path. Not impossible, but certainly challenging. Tony Doesn't the SUP-720(PFC3B) support (some forms of) PBR in hardware ? -- Thanks Rafi
Re: UNITED.COM (United Airlines) has been down for days! Any info on this?
Nice try, but the location that I was trying from did not use alternative root servers. FYI: They are Inclusive Namespace Servers. - Original Message - From: John Levine [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, September 03, 2005 1:49 PM Subject: Re: UNITED.COM (United Airlines) has been down for days! Any info on this? The United Airlines website appears to be down and has been down for = days. Is this a network issue or are they out of business?? Darn those pesky alternate root servers. R's, John
Re: UNITED.COM (United Airlines) has been down for days! Any info on this?
On Thu, 2005-09-01 at 12:54:42 -0500, John Palmer proclaimed... The United Airlines website appears to be down and has been down for days. Plug your computer back into the network. It works fine here from several AS's
Tiscali switches to Public-Root?? What do you think?
From their press release at http://www.tiscali.com/press/releases/10552825f1a.html ... As a result of this agreement, Tiscali will offer to its subscribers across Europe the access to the entire World Wide Web, including the new alternative domain names. The agreement underscores Tiscali's commitment to embrace technological developments that simplify, improve and expand the opportunities offered by internet ... John
Re: The whole alternate-root ${STATE}horse
- Original Message -
From: Todd Vierling [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: nanog@merit.edu
Sent: Saturday, July 09, 2005 10:46 AM
Subject: Re: The whole alternate-root ${STATE}horse
So what? DNS is one of the protocols where interoperability is not just
desirable, it's MANDATORY.
Businesses and individuals expect that when they publish an e-mail or Web
site hostname, that it be theirs and only theirs no matter where on the
Internet it is accessed. FQDNs are considered fixed points of entry, and
alternate roots put that name resolution at risk. (But if you had actually
read RFC2826, you would already understand this.)
Please prove that Inclusive Namespace roots put name resolution at risk.
Please show how the current NTIA root is more secure than other roots.
Again, please refrain from emotional rhetoric driven by religion. What we
need is sound technical arguments.
Client side users, conversely, expect that published addresses by businesses
or individuals go to the intended party. (But if you had actually read
RFC2826, you would already understand this.)
Introducing fragmented TLDs or the opportunity to supplant the common TLDs
places the DNS infrastructure at risk. This is not just FUD -- DNS
hijacking in alternate roots has already happened. (But if you had actually
read RFC2826, you would already understand this.)
Please post a link or give an example. If you mean .BIZ, I would agree, it was
hijacked, but by ICANN, not by any Inclusive Roots. It belonged to AtlanticRoot
and ICANN deliberatly created a collision. Collisions cause instability and the
biggest one was caused by ICANN.
3. *Common sense.* [Erm, oh yeah, perhaps I shouldn't feed the troll.
After all, this is the same guy who thinks that resurrecting the
long dead concept of source routed e-mail is scalable.]
Since when did the NANOG mailing list become your personal
venue for flinging personal insults at other list members?
Nope, not personal -- it's just good to make sure a troll is properly
labeled as such. You know, like how cigarettes have bad-for-your-health
warnings.
For the record, I have never suggested that source-routing
is a good idea for email nor have I ever suggested that
source-routing is scalable.
Okay, then, forced arbitration (which is interchangeably equivalent to
source routing if the arbitrators handle the mail as it transits).
Forced arbitration? - Not an Inclusive concept - but it is an ICANN concept
(UDRP/WIPO).
On the flip side, there was quite a bit of experience with alternate DNS
roots at the time RFC2826 was created -- AlterNIC, which was run and
advocated by people just as blinded by ignorance as you.
Oh wait, your name wouldn't *actually* be Jim Fleming, would it?
Todd, I can only ask, and you can ignore the request, but please try to
refrain from posting religious/emotional arguments. Everything you
have posted above is unsubstantiated and sounds like an emotional and
religious position. It is not helpful to introduce emotion and religion into
a technical debate about such an important topic. I ditto Karl's point about
this sounding like the telco execs in the early 1970's.
--
-- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
John Palmer
Re: The whole alternate-root ${STATE}horse
- Original Message -
From: Stephen J. Wilcox [EMAIL PROTECTED]
To: John Palmer (NANOG Acct) [EMAIL PROTECTED]
Cc: nanog@merit.edu
Sent: Saturday, July 09, 2005 12:45 PM
Subject: Re: The whole alternate-root ${STATE}horse
I didnt realise it was that time of year again already, it feels like only a
couple months since the last annual alternate root debate.
Still its nice to see all the old kooks still alive and well and not yet
locked
up in mental homes. I'd better do my part to feed the trolls i guess...
On Sat, 9 Jul 2005, John Palmer (NANOG Acct) wrote:
Please prove that Inclusive Namespace roots put name resolution at risk.
No proof is needed, this is not maths. If there are two roots then a query to
each server has the potential to return a different reply. The chance of this
happening increases over time plus if an alternate root were to become
popular
their power to challenge authority if a class were found grows.
The potential, yes, but what Inclusive namespace roots do you know that
create such collisions (other than ICANN with its cloning of .BIZ)?
What kind of credibility do you think such a root would have if they
answered with the wrong set of nameservers for, say .COM. What is
technically possible and what actually ocurrs are two different things.
I can use a sledgehammer to pound in tent stakes at a refugee camp for
victims of the tsunami or I can smash up people's cars with them. Show
me how any of the current Inclusive Roots have done these kinds of things.
The only example is ICANN and .BIZ.
Client side users, conversely, expect that published addresses by
businesses
or individuals go to the intended party.
This is the key point, clients and domain owners need this consistency. Read
this a few times and consider how you'd feel if $large_provider decided to
point
your domain name or their competitors domains to their website .. its the
same
problem.
Introducing fragmented TLDs or the opportunity to supplant the common TLDs
places the DNS infrastructure at risk. This is not just FUD -- DNS
hijacking in alternate roots has already happened. (But if you had
actually
read RFC2826, you would already understand this.)
Please post a link or give an example. If you mean .BIZ, I would agree, it
was
hijacked, but by ICANN, not by any Inclusive Roots. It belonged to
AtlanticRoot and ICANN deliberatly created a collision. Collisions cause
instability and the biggest one was caused by ICANN.
Those who consider ICANN the authority would disagree, I believe those are
the
majority.
Steve
Still awaiting facts and examples to prove you point and all I get back is
a religious argument. Sigh.
John
Re: The whole alternate-root ${STATE}horse
- Original Message -
From: Todd Vierling [EMAIL PROTECTED]
To: Jay R. Ashworth [EMAIL PROTECTED]
Cc: nanog@merit.edu
Sent: Saturday, July 09, 2005 12:51 PM
Subject: Re: The whole alternate-root ${STATE}horse
On Sat, 9 Jul 2005, Jay R. Ashworth wrote:
I'm going to dive in one more time here.
It's not the *root* operators that are the problem -- it's the *TLD*
zone operators.
Oh, I can certainly agree with that; we've seen some gross abuses of TLDs
documented in gory detail right here on the NANOG list.
Of course, that too is orthogonal to who provides the delegations in . --
except that perhaps some misguided souls are, as is relatively common,
confusing the two realms.
Introducing fragmented TLDs or the opportunity to supplant the common TLDs
places the DNS infrastructure at risk. This is not just FUD -- DNS
hijacking in alternate roots has already happened. (But if you had
actually
read RFC2826, you would already understand this.)
infrastructure at risk. Justify this *far-reaching* statement,
please. Show your work.
AlterNIC overriding .COM and .NET listings, one of the issues leading to its
demise. (This was done in addition to the more memorable cache poisoning
attacks against INTERNIC.NET.)
Yes, and Eugene was punished for that. Notice that AlterNic really doesn't exist
anymore.
Repeat after me - COLLISIONS ARE BAD! We all agree with that.
-- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
John
Re: The whole alternate-root ${STATE}horse
No William, we are talking about multiple roots, NOT
separate namespaces. There is one namespace. There cannot be
collisions. Inclusive roots do not create collisions - only ICANN
has done that so far.
There are people who have a great disagreement about how ICANN
is going about its business. There is a large piece of the world that doesn't
want ICANN to be the authority.
No public RSN that cares about its credibility will create collisions.
- Original Message -
From: william(at)elan.net [EMAIL PROTECTED]
To: John Palmer (NANOG Acct) [EMAIL PROTECTED]
Cc: nanog@merit.edu
Sent: Saturday, July 09, 2005 2:05 PM
Subject: Re: The whole alternate-root ${STATE}horse
On Sat, 9 Jul 2005, John Palmer (NANOG Acct) wrote:
Repeat after me - COLLISIONS ARE BAD! We all agree with that.
But you can't avoid collisions with multiple namespaces. This is
exactly why Internet needs IANA - to avoid collisions in TLD names,
used ip addresses, protocol parameters, etc.
What you're doing with separate namespace is as if you took some part
of the currently unused IP space and setup your own BGP peering network
for those using that space with your own registry, but also accepted
routes from Intenet peers on the same router mixing it all up.
--
William Leibzon
Elan Networks
[EMAIL PROTECTED]
Re: Enable BIND cache server to resolve chinese domain name?
ICANN has no right to claim that they are the authority for the namespace. They are NOT. Also note the word PUBLIC in PUBLIC-ROOT. - Original Message - From: Mark Andrews [EMAIL PROTECTED] To: Joe Shen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; NANGO nanog@merit.edu Sent: Sunday, July 03, 2005 9:12 PM Subject: Re: Enable BIND cache server to resolve chinese domain name? Hi, Some of our customer complaint they could not visit back to their web site, which use chinese domain name. I google the net and found some one recommend to use public-root.com servers in hint file. I found domain name like xn--8pru44h.xn--55qx5d could not be resolved either. Our cache server runs BIND9.3.1 with root server list from rs.internic.net. Do I need to modify our cache server configuration to enable it? regards Joe Only if you wish to do all your other customers a disfavour by configuring your caching servers to support a private namespace then yes. I would have thought the Site Finder experience would have stopped people from thinking that they can arbitarially add names to to the public DNS. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
Re: NTIA will control the root name servers?
Already entire nations are dropping ICANN. China for one and now Turkey. Istanbul, June 23, 2005 A Top Level Domain (TLD) system has been launched in Turkey as the result of an alliance between the Turkish Informatics Association (TBD) and Unified Identity Technology (UNIDT), officials announced on Wednesday. Top Level Domain is the portion of a traditional domain name that comes after the dot. The generic Top Level Domains (gTLDs) are: .com, .net and .org, the other type of TLDs include the country code Top Level Domains (ccTLD), which are assigned to all countries and their dependencies such as .tr for Turkey. Top Level Domains (TLD) will be put up for sale by Turkish Internet service providers, Turkish Informatics Association Chairman Turhan Mentes said. Mentes said the deal with UNIDT might offer new possibilities for Turkish corporations, as they will be free to use their own names as domain names on the Internet. Access to TLDs is supported by a federation called Public-Root, which emerged due to shortcomings in the existing Internet infrastructure and monopolistic tendencies, Mentes said. TLDs also single out search results, instead of hundreds or thousands of results one gets when using the search engines on ordinary servers. Mentes said Public-Root supports the existing Internet domains and one of the 13 root servers worldwide is located in Ankara. Taken from http://www.turkishdailynews.com.tr/article.php?enewsid=16484 (Registration required to access full article) - Original Message - From: Suresh Ramasubramanian [EMAIL PROTECTED] To: John Levine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, July 02, 2005 9:18 PM Subject: Re: NTIA will control the root name servers? On 2 Jul 2005 11:56:07 -, John Levine [EMAIL PROTECTED] wrote: ICANN's leadership has long claimed and probably believed that the DOC would eventually cut them free. Of course other governments have never been thrilled that the root belongs to the US Gov't, but treatment of country domains has in practice carefully avoided antagonizing governments, dating back to the Haiti redelegation in the Postel era. The DOC is merely saying don't hold your breath. Given ICANN's less than stellar record, nobody should be surprised. I at least kind of expected this.. and the language in that paper is heavily geared towards status quo. So far what we have is a lot of people who dont like icann, or perhaps have got disillusioned with it for various reasons, sounding off on the IP list and elsewhere .. and a lot of comment on various ops and public policy lists. What worries me is the tendency among several governments to send in submissions to the WSIS/WGIG process in support of greater government involvement and/or oversight in the process (which is not necessarily a bad thing) but quoting a lot of wrong reasons, and [conveniently?] forgetting the difference domain names and IP addresses on a fairly regular basis However governments are going to sooner or later get themselves a stake in this process - though hopefully not by the almost anarchical means being suggested so far. Will be very tough to fight that - especially as the language in the paper also leaves the door open for more government involvement, and recognizes the fact that for several governments, ccTLD is [or has become, once this brouhaha started] a sovereignity issue. Someone have any idea for a workable compromise that bridges the current ITU positions with the status quo? Answers that wont work and have been fairly freely bandied about - get rid of ICANN and damn the ITU, or various more polite and diplomatic variants of those .. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: what will all you who work for private isp's be doing in a few years?
On Thu, 2005-05-12 at 14:32:45 -0400, Joe Loiacono proclaimed... So imagine a residential area all pulling digital video over wireless. Sound familiar? Ironically close to TV! (yet so different) What I can't understand is why multicast hasn't just gone gangbusters into use yet. I see it as a really pent-up capability that, in light of broadband video, etc., is just going to have to break wide open soon. Do any of the cable companies actually use multicast? A while back, I saw some programming information being broadcast out to my cable modem (I don't remember if it was multicast at this point), but with the DVR's out there now, my TV is just a glorified computer display anyway :) - Eric
Re: ICANN needs you!
How about supporting alternatives to ICANN, which are getting more and more widespread and accepted like www.public-root.com and www.inaic.com ? - Original Message - From: Eric Brunner-Williams in Portland Maine [EMAIL PROTECTED] To: Rodney Joffe [EMAIL PROTECTED] Cc: nanog@merit.edu; [EMAIL PROTECTED] Sent: Friday, April 29, 2005 8:12 AM Subject: Re: ICANN needs you! Rodney, Can you compare the past out-reach exercises and the present one? You know, process and outcomes. I'm thinking of the process and outcome of the MITF exercise of 2002/3. It is now seven years since the issue of appropriation of tribal names was brought to the attention of the ICANN BoD in an ICANN VI-B(3)(b)(7) Constituency Application. The situation remains unchanged. On a personal note, I still recall then-CEO Michael Roberts telling me to just take what the IPC offered (nothing), as the ICANN bus was leaving the station. It is now six years since the issue of code point allocation by the iso3166 maintenance agency and indigenous governments was brought to the attention of the ICANN BoD in WG-C (draft-icann-dnso-wgc-naa-01.txt). The situation remains unchanged. The model of an sTLD was adopted, but sex.pro was not what we'd in mind. Had Jon not died, we might have had a solution along the lines of x.121 (and now ASO RIRs) regional DSO registries, or a .ps-like work-around. We going on the third year of .iq being dark, with no trust operator, and no contact initiated by ICANN with the Sponsoring Organization, still in a US pokey for an exports infraction (they freighted a PC to Malta, which the forwarding agent then sent to Lybia, and may have freighted a PC to Syria, about an hour's drive from Beruit). From Louis to the BoD @ Rome to Vint and Paul over the winter holidays, ICANN has been aware and the situation remains unchanged. The .ORG evaluation was rediculous. The evaluator was not independent or posses subject matter expertise. The .NET evaluation was rediculous. The evaluator ... ditto. The control of the DSO et seq by the IPC (whois) is rediculous. The vanishing of the ISP Constituency (self-inflicted, but rational in the context, see the prior item) is rediculous. When I look at my years of non-accomplishment, and ICANN's years of little accomplishment, I don't see a lot a rational person could take a lot of pride in, or want to be associated with. Your milage may vary. You are correct that [t]he archives of NANOG are riddled with complaints and comments about the lack of competent representation and influence for the networking community within ... ICANN. An alternative to asking for a new crop of possibly decorative worker bee candidates to self- or other-identify for a possibly decorative nomination and selection process is to identify one of more of those existing complaints and comments and attempt to act upon it or them. Beauty pagents and member pageout events aren't the same as working a task to a scheduled completion. Cheers, Eric P.S. If discussion of the latest ICANN process event does not belong on NANOG, does its announcement?
Re: Getting a BGP table in to a lab
On Wed, 2005-04-20 at 20:41:30 -0400, Scott Morris proclaimed... If you just want to play with BGP stuff, you can use Zebra (unix) or go to www.nantech.com and get their BGP4WIN program. Or use something that eats tables and asks for moreOpenBGPD (part of OpenBSD). It's hungry, and wants to be fed.
Re: Utah considers law to mandate ISP's block harmful sites
First of all So what. Second what does this have to do with network operations? This discussion went from ISP's blocking porn to gay marriage. Joine efnet and #politics if you want to talk about gay people, but please spare us of the drama. I would have just ignored this thread if it wasn't disguised as possibly useful. This is the problem with nanog, its no longer useful or operational. Most of the contributors to nanog have been wasting their time the last xxx weeks being girly men arguing about laptops for presentations. I bet the blackhats are having a good time watching you bicker and fight and not pay attention to the real issues of network operations. Nanog Deformer (self appointed moderator) On Fri, 04 Mar 2005 12:01:38 -0500, William Allen Simpson [EMAIL PROTECTED] wrote: Richard Irving wrote: I have a way. You want the Internet sites on this list blocked, -here-, your account is now _disabled_. You won't -ever- have to worry about accessing sites you don't like. :P This is another attempt to legislate something that can be solved, or should be solved, with technology. After all, we have -all- seen how well the anti-UCE laws have worked. * cough * The last 5 years of politics, have set a record low, in my book. This law ranks right up there, with the law recently passed in one state, (in the past year, and, of course, a Red State) that declared same sex couples living together, instead of being married, as criminals, subject to a fine, and incarceration. Did someone spike the legislative punch bowl, or _what_ ? Umm, we have a longstanding law here in Michigan that defines *any* sex couples living together as criminals, and the legislature raised the fine from $300 to $1,000 a few years ago, in a 3 am lame duck session just before the Republican governor left and became the head lobbyist for the National Association of Manufacturers. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
RE: Heads up: Long AS-sets announced in the next few days
James [mailto:[EMAIL PROTECTED] wrote: They are not playing with the core. The result of what they are doing is dependent on specific topology and level of direction they are throwing prefixes at. While I will not dispute your statement, I believe that every ASN should be responsible of their own and should not trust the General Internet to not cause harm on their network. If your router is going to crash b/c of someone advertising an unusual AS_PATH, I don't view that differently from a box getting owned because it was running unpatched OS since 1999 without any firewall rules either. -J I think most of the concern comes from the fact that this experiment is being done on a network that many people rely upon for various reasons, and it's unknown side effects have are in the scope of global financial/communication/emergency crisises. It might not cause any harm, but I'd think you guys could have probably come up with a better test bed than using other people's equipment and networks without permission and risking unforseen disasters. Why wasn't this experiment tested in a lab environment? We don't test new pharmaceuticals directly on humans in the first round of testing, and after they've been proven safe on animals, the tests then go on to compensated volunteers Even if this type of experiment fell into compliance with the RFCs, it surely wasn't the intended use of AS-PATHS and should be considered experimental, and therefore tested in a lab setting. The risks imposed by using the global internet routing infrastructure as your testbed far outweigh any benefits your tool might realize. If this experiment that you're running causes downtime for someone elses systems, are you willing to pay for the damages? -Brian
Re: Time to check the rate limits on your mail servers
I know that I'm in the middle of trying to figure this out with the mail server software that is used where I work but if limits are going to be put into place per email box of say 1,000 messages per day and a total daily sending limit of say 200 megabytes, I feel there also needs to be methods in place for the end-user (customer) to be able to view where they stand in relationship to their quota. Yes this becomes more of something for the help desk side of a provider but as operations, I have to support the help desk in being able to give the user information when they call about the limits David - Original Message - From: Gadi Evron [EMAIL PROTECTED] To: Raymond Dijkxhoorn [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; nanog@merit.edu Sent: Thursday, February 03, 2005 10:14 AM Subject: Re: Time to check the rate limits on your mail servers Did you actially read the article? This was about drones sending out via its ISP mailserver. Blocking outbound 25 doesnt help a bit here. In general sure, good ide, and also start using submission for example. But in this contect its silly. No, it is relevant or I wouldn't have mentioned it. Allow me to elaborate; and forget about this article, why limited ourselves? Once big ISP's started blocking port 25/outbound for dynamic ranges, and it finally begun hitting the news, we once again caused the spammers to under-go evolution. In this particular case, they figured they'd have to find better ways to send spam out, because eventually, they will be out of working toys. Using the user's own mail server, whether by.. erm.. just utilizing it if that is possible, sniffing the SMTP credentials or stealing them from a file/registry, maybe even using Outlook to send is all that's about to happen. heck, I don't see how SMTP auth would help, either. They have local access to the machine. Now, once 100K zombies can send *only* 1000 spam messages a day instead of 10K or even 500K, it makes a difference, but it is no solution. I am happy to see people are starting to move this way, and I personally believe that although this is happening (just go and hear what Carl from AOL says on Spam-R that they have been seeing since 2003), this is all a POC. We have not yet begun seeing the action. Should I once again be stoned, or will others see it my way now that the tide is starting to turn? Gadi.
Re: Association of Trustworthy Roots?
See http://www.public-root.com for an alternative to the ICANN monopoly. Those folks are very concerned with security. - Original Message - From: [EMAIL PROTECTED] To: nanog@merit.edu Sent: Sunday, January 16, 2005 3:45 PM Subject: Re: Association of Trustworthy Roots? On 16 Jan 2005 at 21:31, Elmar K. Bins wrote: [EMAIL PROTECTED] (William Allen Simpson) wrote: While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C? I thought we already had built such a thing, currently covered by ICANN. let's think outside the box. there's no reason that nanog (or anyone willing to run a mailing list) couldn't create an ad hoc decentralized Trustworthy ISP/Root service. heck, such a thing may even encourage more active participation in nanog. having a shared group identity where the rubber meets the road is very powerful. it's the underlying motivator behind the nanog, xBSD, GPL, torrent, tor, (pick your non- hierarchical community driven project), etc. clans. there's also no reason that this has to replace ICANN. and it would likely have the exact result on existing entities that you mention below - improved trustworthiness. peace But well...life changes everything, and for some (or many) or us, this association doesn't seem so trustworthy anymore. Maybe it would be better to improve trustworthiness of the existing authorities. I believe there is still much room for participation, not to mention political issues you simply cannot counter on a technical level. At the moment, I'm concerned whether we have trustworthy TLD operators. One can never know what's going on behind the scenes. Maybe Verysign is on the issue, maybe not. I believe, there are at least three VS people on this list who could address this. I don't know whether they are allowed to. It's been about 24 hours, it is well-known that the domain has been hijacked, we've heard directly from the domain owner and operator, but the TLD servers are still pointing to the hijacker. By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this. Yours, Elmar.
Re: Association of Trustworthy Roots?
They don't have a mailing list that is public yet. Might be a good suggestion. - Original Message - From: [EMAIL PROTECTED] To: nanog@merit.edu Sent: Sunday, January 16, 2005 5:35 PM Subject: Re: Association of Trustworthy Roots? On 16 Jan 2005 at 15:52, John Palmer (NANOG Acct) wrote: See http://www.public-root.com for an alternative to the ICANN monopoly. Those folks are very concerned with security. these folks don't seem very decentralized. do you know if they have a public mailing list? there doesn't seem to be much information on the website. - Original Message - From: [EMAIL PROTECTED] To: nanog@merit.edu Sent: Sunday, January 16, 2005 3:45 PM Subject: Re: Association of Trustworthy Roots? On 16 Jan 2005 at 21:31, Elmar K. Bins wrote: [EMAIL PROTECTED] (William Allen Simpson) wrote: While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C? I thought we already had built such a thing, currently covered by ICANN. let's think outside the box. there's no reason that nanog (or anyone willing to run a mailing list) couldn't create an ad hoc decentralized Trustworthy ISP/Root service. heck, such a thing may even encourage more active participation in nanog. having a shared group identity where the rubber meets the road is very powerful. it's the underlying motivator behind the nanog, xBSD, GPL, torrent, tor, (pick your non- hierarchical community driven project), etc. clans. there's also no reason that this has to replace ICANN. and it would likely have the exact result on existing entities that you mention below - improved trustworthiness. peace But well...life changes everything, and for some (or many) or us, this association doesn't seem so trustworthy anymore. Maybe it would be better to improve trustworthiness of the existing authorities. I believe there is still much room for participation, not to mention political issues you simply cannot counter on a technical level. At the moment, I'm concerned whether we have trustworthy TLD operators. One can never know what's going on behind the scenes. Maybe Verysign is on the issue, maybe not. I believe, there are at least three VS people on this list who could address this. I don't know whether they are allowed to. It's been about 24 hours, it is well-known that the domain has been hijacked, we've heard directly from the domain owner and operator, but the TLD servers are still pointing to the hijacker. By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this. Yours, Elmar.
Re: [OT] Re: Banned on NANOG
--- Alex Bligh [EMAIL PROTECTED] wrote: --On 04 December 2004 17:35 + Paul Vixie [EMAIL PROTECTED] wrote: third and last, there are a number of principles up for grabs right now, and the folks who want to grab them aren't universal in their motives or goals. some folks think that rules are bad. others think that susan is bad or that merit is bad. some say that rules are ok if the community has visibility and ultimate control. I'd add: if people don't like NANOG, demand a full refund for your year's membership. Then go set up your own mail-server and work out your own moderation policies. If you do a better job, you'll win clueful subscribers. It isn't we don't like NANOG, it's obvious we all do or we wouldn't be here. It's we don't want the clueful folks eliminated. It reduces the S of the list and has little effect on N. There is very little chance someone's going to start a new NOG list and get the quality of folks that're here. Folks have too much time invested here. The question is, as Paul proposed, how can we get the community more visibility into the process of banishment and more control over who is banned? How long are randy and the other cluefolks banned for? (no I don't expect an answer...) __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com
Banned on NANOG
: Susan Harris' supervisor at MERIT. Chances are, I : will be censored for this and banned almost This whole censorship thing has me wondering as to the continued viability of this list as a place where the clue-heavy hang out and speak freely. Paul Vixie has been warned, randy Bush has been banned. Who else has been banned that'd be considered a clue-heavy NANOG poster? Why are folks being banned? Last I heard, procmail still works. Folks are becoming afraid to post due to worries about being banned. S/N: Isn't the goal to increase S and reduce N? If you reduce both S and N, you don't get a better signal. With randy gone, the S has definitely decreased. Who else is gone that reduces S? __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail
RE: Blackhole Routes
Pete, If you are in the business of fighting DDoS at the ISP level, I would recommend checking out the NSP-SEC community. Among other things, I think you will find some info regarding DDoS route servers. There are several NANOG presentations and archived emails on this community. If you can't find what you are looking for, drop me a line offlist and I'll see if I can provide more assistance. HTH, ___ Wayne Gustavus, CCIE #7426 IP Operations Support Verizon Internet Services ___ Can you ping me now? Good! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Petri Helenius Sent: Monday, October 04, 2004 4:46 PM To: Wayne Gustavus (nanog) Cc: 'Stephen J. Wilcox'; 'Abhishek Verma'; [EMAIL PROTECTED] Subject: Re: Blackhole Routes Wayne Gustavus (nanog) wrote: You can check out the info here: http://www.cymru.com/BGP/bogon-rs.html Sure the bogons by cymru are widely known, anyone for spam and ddos bots/zombies? Pete ___ Wayne Gustavus, CCIE #7426 Operations Engineering Verizon Internet Services ___ Entropy isn't what it used to be! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Petri Helenius Sent: Monday, October 04, 2004 1:41 AM To: Stephen J. Wilcox Cc: Abhishek Verma; [EMAIL PROTECTED] Subject: Re: Blackhole Routes Stephen J. Wilcox wrote: There are several sources of eBGP feeds for blackholing, they can be very useful depending on what your requirements are. You can get feeds for spam, ddos bots, bogon routes etc Can you point to the right direction where to find these feeds? They don't seem to be advertised widely. Pete
RE: Blackhole Routes
You can check out the info here: http://www.cymru.com/BGP/bogon-rs.html ___ Wayne Gustavus, CCIE #7426 Operations Engineering Verizon Internet Services ___ Entropy isn't what it used to be! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Petri Helenius Sent: Monday, October 04, 2004 1:41 AM To: Stephen J. Wilcox Cc: Abhishek Verma; [EMAIL PROTECTED] Subject: Re: Blackhole Routes Stephen J. Wilcox wrote: There are several sources of eBGP feeds for blackholing, they can be very useful depending on what your requirements are. You can get feeds for spam, ddos bots, bogon routes etc Can you point to the right direction where to find these feeds? They don't seem to be advertised widely. Pete
Re: OT: Politics
gking Quick show of hands, of the American citizens in here (of legal gking voting age), how many of you will be going to the polls to cast a gking vote for president this November? And which candidate are you gking voting for? Mail me in private and I'll summarize the results on gking the list. lou Can we send this information through an anonymizer, or do we have lou to trust Gmail to not scan the E-mail and correlate the opinion lou with our E-mail address? Please don't feed the troll... Can't we talk about spam or verisign or something else more likely to be on topic and bring accord than politics?
RE: bandwidth test
If you have a Cisco at both ends with the correct IOS, you can run a ttcp test to try and stress the DS3. ___ Wayne Gustavus, CCIE #7426 Operations Engineering Verizon Internet Services ___ How many people can read hex if only you and dead people can read hex? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bubba Parker Sent: Friday, August 20, 2004 7:47 PM To: [EMAIL PROTECTED] Subject: bandwidth test Recently my DS3 has been turned up to 8 megabits. How can I test to see if I can actually achieve that throughput? Online bandwidth test sites are only good for up to 5mb at the most, and my upstream doesn't have a method to test that. Any help would be greatly appreciated. Thanks. -- Bubba Parker [EMAIL PROTECTED] CityNet LLC http://www.citynetinfo.com/
Re: Real-Time Mitigation of Denial of Service Attacks Now Available With ATT
- Forwarded message from Eric Kuhnke [EMAIL PROTECTED] - Major providers such as Sprint and UUNet have had null route communities available for quite some time... Unless I am mistaken? Which ATT does *not* have, unless I cannot find the correct person to enlighten me. (NOC, sales team, implementation teams, customer care and lifecycle teams- all either scratch their head and say what? why would someone want that? or just say no.) Someone, please prove me wrong. I would love to have this rather simple and quite common (these days) functionality in all of my upstreams. Yes, ATT is the only one (out of 4 major providers we use) that cannot seem to implement this. Of course, I wonder if it will ever come now (assuming they will charge for their whiz-bang Arbor solution...) bill
What HTTP exploit?
Can anyone identify this http exploit? Seen in the apache logs: foo.bar.com - - [30/May/2004:02:45:28 -0400] SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 etc - and it goes on for about 1200 bytes. Been getting an annoying number of these in my httpd logs today - it botches up my log analyser program.
Level3 issue in LA on 3/9 (was: ATT Outage 01:25-01:50 AM EST)
So at least I wasn't the only one that felt this. Did Level3 ever say what blew up on their network? On Wed, 10 Mar 2004, Christopher McCrory wrote: About that time Level3 had an issue in the LA, CA area. Could be related.
RE: Verizon clients DOS own site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 19, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: Verizon clients DOS own site? I've tried contacting Verizon via email but I haven't received a response and their tech support had no information on this. Although we're now blocking this site and trying to clean up the clients, this is still generation a lot of noise on our network. Any ideas on how to get Verizon to take a look at this? Calling the NOC numbers available via the puck.nether.net site would be a good start (info recently updated from older Bell Atlantic references). This sounds like part of the support tools installed as part of the VOL setup discs. I'll fwd info onto VOL to confirm, though website IS valid (perhaps there is an issue interacting w/ VPN setup). Any input is welcome. Thanks, np ___ Wayne Gustavus, CCIE #7426 Operations Engineering Verizon Internet Services ___
RE: Monumentous task of making a list of all DDoS Zombies.
Title: Message This would essentially be impossible and not a good idea. Large volumes of hosts/zombies involved in such attacks originate from residential cable/dsl subscribers. This user baseprimarily uses dynamically assigned IP space. Hence, the IP of tonight's attacker could be the IP of tomorrow's legitimate user. This is the same reason that it is imperative that any complaints sent to ISPs providing such services MUST have a time stamp (with timezone) along with other information relative to the attack/abuse. This is the only way the ISPs can relate the IP with the actual enduser in order to contact them for remediation. ___Wayne Gustavus, CCIE #7426Operations EngineeringVerizon Internet Services___ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew WeaverSent: Friday, February 06, 2004 4:15 PMTo: [EMAIL PROTECTED]Subject: Monumentous task of making a list of all DDoS Zombies. Is there a list maintained anywhere of all hosts that have been identified as a DDoS zombie? Or attack box? We got hit with an attack from more than 60 IPs last night and I'd like to add them to any list that anyone has started. Thanks, -Drew
RE: Monumentous task of making a list of all DDoS Zombies.
-Original Message- From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] Sent: Saturday, February 07, 2004 9:58 PM To: Wayne Gustavus (nanog) Cc: 'Drew Weaver'; [EMAIL PROTECTED] Subject: Re: Monumentous task of making a list of all DDoS Zombies. snip 1. It is arguable whether dynamic IPs are to be treated as legitimate mailhosts. Your colleagues in VOL mailops might tell you something similar too. No argument there. However, the thread was originally addressing a list of DDoS Zombies, not illegitimate SMTP mailhosts. Arguably zombies used to launch DDoS attacks are treated differently than such hosts. We address both types. 2. An expiring list, where entries inserted are quickly expired, and stats used to add to other lists (such as MAPS DUL / SORBS DUHL) is a good idea, and moreover, it's already been done. http://cbl.abuseat.org Interesting approach. It would be conceivable that if this resource was Widely used, miscreants could use this service to DDoS there victims without an army of zombies :-) I still submit that it is more advisable to address the root of the problem by finding the true host that generated attack traffic. Automating this process of matching dynamic IP to customer acct with a timestamp and remediation is the goal. __ Wayne Gustavus, CCIE #7426 Operations Engineering Verizon Internet Services ___
Strange public traceroutes return private RFC1918 addresses
Title: Strange public traceroutes return private RFC1918 addresses Any ideas how (or why) the following traceroutes are leaking private RFC1918 addresses back to me when I do a traceroute? Maybe try from your side of the internet and see if you get the same types of responses. It's really strange to see 10/8's and 192.168/16 addresses coming from the public internet. Has this phenomenon been documented anywhere? Connectivity to the end-sites is fine, it's just the traceroutes that are strange. (initial few hops sanitized) [EMAIL PROTECTED] /]# traceroute www.ibm.com traceroute: Warning: www.ibm.com has multiple addresses; using 129.42.17.99 traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.481 ms 2.444 ms 2.379 ms 2 (---.---.---.---) 17.964 ms 17.529 ms 17.632 ms 3 so-1-2.core1.Chicago1.Level3.net (209.0.225.1) 17.891 ms 17.985 ms 18.026 ms 4 so-11-0.core2.chicago1.level3.net (4.68.112.194) 18.272 ms 18.109 ms 17.795 ms 5 so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197) 17.851 ms 17.859 ms 18.094 ms 6 so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49) 23.095 ms 22.975 ms 22.998 ms 7 ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130) 23.106 ms 23.237 ms 22.977 ms 8 unknown.level3.net (63.20.48.6) 24.264 ms 24.099 ms 24.154 ms 9 10.16.255.10 (10.16.255.10) 24.164 ms 24.108 ms 24.105 ms 10 * * * [EMAIL PROTECTED] /]# traceroute www.att.net traceroute: Warning: www.att.net has multiple addresses; using 204.127.166.135 traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.404 ms 2.576 ms 2.389 ms 2 (---.---.---.---) 17.953 ms 18.170 ms 17.435 ms 3 500.pos2-1.gw10.chi2.alter.net (63.84.96.9) 18.077 ms * 18.628 ms 4 0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170) 18.238 ms 18.321 ms 18.213 ms 5 0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49) 18.269 ms 18.396 ms 18.329 ms 6 204.255.169.146 (204.255.169.146) 19.231 ms 19.042 ms 18.982 ms 7 tbr2-p012702.cgcil.ip.att.net (12.122.11.209) 20.530 ms 20.542 ms 23.033 ms 8 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 26.904 ms 27.378 ms 27.320 ms 9 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 27.194 ms 27.673 ms 26.677 ms 10 gbr1-p10.bgtmo.ip.att.net (12.122.4.69) 26.606 ms 28.026 ms 26.246 ms 11 12.122.248.250 (12.122.248.250) 27.296 ms 28.321 ms 28.997 ms 12 192.168.254.46 (192.168.254.46) 28.522 ms 30.111 ms 27.439 ms 13 * * * 14 * * *
RE: Verizon mail troubles
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Dills Sent: Wednesday, January 28, 2004 10:47 PM To: Bob Snyder Cc: [EMAIL PROTECTED] Subject: Re: Verizon mail troubles snip Now, they do have some decent engineers, to be fair. You just have to manipulate your way through to them...they're in really short supply on the internet end of things. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- Well thanks for for being (somewhat) fair. :-) 1. Verizon does care about IP / Internet 2. While I don't have anything to do with the VOL email operations, I will see if I can get your contact info/issue to the appropriate people 3. You're on your own with the Premier of China. ___ Wayne Gustavus, CCIE #7426 Operations Engineering Verizon Internet Services ___
Cox Dns Admins Needed
Hello Need to speak to Cox Dns Admins if they can contact me off the list having dns cache issue with there system [EMAIL PROTECTED] frankie gravato senior network and systems admin Slingo Inc.
Issues with Comcast broadband customers in the Seattle, WA area -- please contact
Hello, Looking for someone @ Comcast (AS22909?) that can help troubleshoot a problem: For a few days, Comcast residential cablemodem customers in the Seattle, WA area are reporting that they cannot reach our application (TCP port 7000/7050/7070). IP's that the customers are coming from: 12.228.98.x 12.208.137.x 67.168.75.x 12.228.151.x 12.228.185.x (and a few more) The issue is not simply connectivity -- they ping in and hit http services on our network, just not get to TCP ports 7000, 7050, 7070. There is no apparant issue on our side, we accept hundreds of thousands of connections to this application each day. Please contact me if you are able to assist in troubleshooting. Thank you - Dani
RE: Apologies but...Verizon Postmaster?
Go ahead and send me your contact info offline and I'll see if I can forward it to the right people in the mail team. Wayne Gustavus, CCIE #7426 Operations Engineering Verizon Internet Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Loftis Sent: Thursday, November 20, 2003 5:09 PM To: [EMAIL PROTECTED] Subject: Apologies but...Verizon Postmaster? I have been trying for weeks to get in touch with someone who will respond with something other than a form letter at Verizon. Can someone please contact me off-list? My company (Modwest) is being unilaterally blocked. I can't even send mail to abuse, postmaster, etc. from an @modwest.com address because of the block in place without a reason and without recourse. TIA, and I'm sorry for posting here but it's really my last resort (as it should be anyones IMHO). -- GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
RE: This may be stupid but..
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 10, 2003 6:03 AM To: [EMAIL PROTECTED] Subject: Re: This may be stupid but.. snip When I interview, I start out by asking one or two key questions that help me quickly get to the truth. For instance at one company, when I has hiring NOC folks, I started by asking them to explain traceroute to me. The answer that I wanted was one which showed that they had a detailed understanding of what was going on at the protocol level as the packets flowed through the network because that view of the network is needed to effectively troubleshoot problems. It did lead to one awkward situation with a 16 year-old who immediately started talking about ICMP echos with varying TTL and routers sending back ICMP echo-replies. I wanted to end the interview and hire him on the spot but it seemed unfair to give this young guy the idea that job interviews are that short. Especially since not all traceroutes use ICMP and the reply from the routers is typically NOT ICMP echo-reply. :-) snip --Michael Dillon -Wayne Gustavus
Converting from telco Major-V, Major-H coordinates to Lat Long
Any ideas on how to convert from telco Major-V, Major-H coordinates to latitude and longitude? Alternately, does anyone have a table of mapping CLLI codes to latitude and longitude? I am trying to programatically figure out the air distance between any two Verizon COs. regards, fletcher -- Fletcher Kittredge Great Works Internet 8 Pomerleau St. Biddeford, ME 04005-9457
Re: Change to .com/.net behavior
A couple things come to mind -- 1) Does this increase the RAM needed on a caching resolver? I.e. does it take more RAM to cache the 15-minute positive reply, than an NXDOMAIN negative reply? 2) In the bestpractices.pdf file, it states the following: A response server should be configured to return an indication that the provided services were reached as a result of wildcard processing when the server returns a response to connection requests sent by end user applications. Can Verisign explain how the following transaction is consistent with the above guideline (where is the indication of wildcard processing): $ telnet mx.no-suchdomain-yadda-yadda.com 25 Trying 64.94.110.11... Connected to mx.no-suchdomain-yadda-yadda.com. Escape character is '^]'. 220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready helo example.com 250 OK mail from: [EMAIL PROTECTED] 250 OK rcpt to: [EMAIL PROTECTED] 550 User domain does not exist. Oh well -- here's to looking out for the BIND patch... - Dani
Re: Cross-country shipping of large network/computer gear?
I still fail to see why I would choose an organiztion with handles hundreds of times more packages, most weighing less and being less breakable than mine, over one with the specialized equipment to move it. An air cargo carrier with heavy-cargo equipment is still less likely to drop a pallet off a pallet jack than an express shipper with a handtruck. That their respective employees are equally lackadaisical doesn't mean all other factors have been equalized. Fedex != Fedex Freight I have had fedex heavyweight boxes trashed, but have never had an issue with Fedex Freight. They show up with a liftgate or box truck, and a pallet jack. If your load is not palletized, they put it on one in the truck. I think Fedex Freight is a bit more in the heavy moving industry than Fedex, agreed. bill ps. Is this operational? :)
Looking for Verizon Contact - default UDP port filtering is hurting our service
Greetings, I'm trying to find Verizon NOC contact information to discuss their port filtering. We have customers on Verizon DSL who cannot use our service due to _alleged_ default filtering of high-numbered UDP ports. I've tried puck, but the information is not there :( If anyone is listening in, or can send me the contact info off-list, that would be much appreciated. If anyone has a URL that officially details blocked protocols/port numbers, please share with the list. Mimimally, I'm looking for confirmation of Verizon's policies in effect. Ideally, I'd like to convince them to allow our mutual customers to enjoy our services. Thank you, - Dani
root.rwhois.net broken
Domain Name: RWHOIS.NET Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.VERISIGNLABS.COM Name Server: NS2.VERISIGNLABS.COM Status: REGISTRAR-HOLD Updated Date: 15-jul-2003 Creation Date: 10-jul-1996 Expiration Date: 09-jul-2004 Registrar-hold? Nice. ETA for fix? $ host root.rwhois.net Host root.rwhois.net. not found: 3(NXDOMAIN) Can anyone from Network Solutions push this fix along? Or possibly let me know the IP of root.rwhois.net so we can look up things in the interim? bill
Warning Someone is using your company name to defraud users: Fw: Transaction #: 34-355-268-52430
Got this in my mailbox this afternoon - The URL goes to swiftSpay.com, not swiftpay.com. You're probably aware of this scam - if not, now you know. John P. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 20, 2003 2:49 PM Subject: Transaction #: 34-355-268-52430 Thisis confirmation messagefor transfer of$1974.50 USDby E-mail from: * SwiftPay User ID: [EMAIL PROTECTED] Transaction #: 34-355-268-52430 Ref.#: 04100927 * To claim your money and confirm the transaction please, follow the link below: http://www.swiftpay.com/transID?=34-355-268-52430±04100927f=US The money will appearin your SwiftPay account balance once you confirm the transaction and then you can withraw the balance to your bank account which you added during the registration process. If you are not an existing member of SwiftPay.com you can signup right now. The registration process is very simple and it takes less than 5 minutes. Swiftpay`s intuitive interface makes sending and receiving money over the web as easy as one two three. Simply logon at Swiftpay.com and select which Swiftpay service you wish to avail of, whether its to fund your account, send money to friends family or businesses, request money or check your account details. With everything you need available at the click of a mouse, paying with Swiftpay couldn't be easier. Dont forget, we value our commitment to Customer Service at Swiftpay should you have any queries, please dont hesitate to contact us and we'll do our best to answer your query as soon as possible. Kind Regards, Swiftpay Billing Dept. SwiftPay -The E-Cash solution that brings online shopping closer to home * SWIFTPAY.COM SECURITY REMINDERS Protect Your Username and Password and NEVER Reveal it to Third Parties! * WARNING! If you are not the intended recipient, please inform the sender immediately by E-mail and deletethis messageand all copies from your system.
Re:AOL MAIL BLOCKING
Sorry about the wrong url its http://postmaster.info.aol.com/
Clueful comcast routing help needed, possible 69/8 filter issue?
Looking for a Comcast/ATT network contact. I've gone through the published addresses and phone numbers, and noone seems to have a clue. There may be a 69/8 routing filter in place that that affects us in the dc area. thanks bill
LA: fiber between equinix/sd?
I hate posting to an operational list with this kind of stuff, but i'm in a bind. Does anyone have dark fiber (or gig-e capability) between LA Equinix (600 W. 7th St) and LA switch and data (1200 W. 7th St)? Unfortunately, we picked a new vendor on this one, and they hung us out to dry (dragging feet, never completed, etc, etc.) Now we need it up asap. Please reply off-list. Salescritters welcome, as long as you are reasonable (don't try and sell me a $5k gig-e transport.) thanks bill
Weird distributed spam attack
Unless, I missed the posts about this,.. I just (and still am experiencing) a distributed spam attack. I have a small machine at a colo. Today I check my inbox and there are 2000+ extra messages to a domain I have 'zbot.net'. The messages are doing 4 letter combinations for the recipient. (abde, abdf, etc.) The from's are all [EMAIL PROTECTED] I check my qmail queue - its at 13405 messages. I shut down mail and remove the email from the queue. Here is the kicker. I check where these are coming from, they are from all over the place. I check for IP address spoofing... not happening. No IP options or TCP options. This came from like about 300 different networks, and yes I don't accept source routing (IP Options). Anyways, it happened to my machine, I stopped accepting mail to that domain from qmail-smtpd, so I'm back to normal. If anyone want's a tcpdump of the connection attempts or the emails. Let me know. Dru Nelson San Carlos, California
RE: Could someone from Bell Nexxia contact me offlist
The Bell Nexxia looking glass is (I got this from traceroute.org): http://looking-glass.in.bellnexxia.net:8080/ Mind sharing the Nexxia looking glass URL? Thanks, Joel -Original Message- From: [EMAIL PROTECTED] [mailto:nanog;jamesstewartsmith.com] Sent: November 10, 2002 12:35 PM To: [EMAIL PROTECTED] Subject: Could someone from Bell Nexxia contact me offlist I'm having a routing issue where anyone on the Bell Nexxia network can't connect to my web server, but they can get to every other IP address on the same network. There seems to be something odd I found in a Bell Nexxia looking glass. Any help would be appreciated. -- James Smith CCNP Certified Sun Certified Systems Administrator for Solaris 8 -- James Smith CCNP Certified Sun Certified Systems Administrator for Solaris 8
Could someone from Bell Nexxia contact me offlist
I'm having a routing issue where anyone on the Bell Nexxia network can't connect to my web server, but they can get to every other IP address on the same network. There seems to be something odd I found in a Bell Nexxia looking glass. Any help would be appreciated. -- James Smith CCNP Certified Sun Certified Systems Administrator for Solaris 8
Re: Bogon list or Dshield.org type list
Yes - DSHEILD has our ORSC root server listed as well. I thought that was hilarious. - Original Message - From: Charles Sprickman [EMAIL PROTECTED] To: Johannes Ullrich [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, July 28, 2002 2:36 AM Subject: Re: Bogon list or Dshield.org type list I looked up a nameserver that I once worked with and found that it is attacking from port 53. Needless to say, it's not hacked, it's answering queries. Charles -- Charles Sprickman [EMAIL PROTECTED] On Sat, 27 Jul 2002, Johannes Ullrich wrote: I do not recommend adding every IP listed at DShield to your filter. We do publish a 'block list', of the worst networks (based on reports for the last 5 days). Quick note on our methods: We basically aggregate firewall logs and offer summarized reports. The reports should allow everyone to apply their own judgment. For the block list: http://www.dshield.org/block_list_info.html On Sat, 27 Jul 2002 20:19:47 -0400 Phil Rosenthal [EMAIL PROTECTED] wrote: I can comment on the dshield list. I have seen this before. I am checking one particular IP on my network that has a very popular freehost on it. Checking the load balancer IP (connections cannot be originated from this IP) -- it shows that there were 13 attacks initiated from the IP, and 7 targets. Whatever their algorithm is, it doesn't seem reliable enough for me to trust it if an IP that can not originate connections is listed as an attacker (albeit small on their list) --Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of alsato Sent: Saturday, July 27, 2002 8:08 PM To: [EMAIL PROTECTED] Subject: Bogon list or Dshield.org type list Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though. alsato -- --- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
Re: Act Surprised.....
Oh goodie - now maybe my BUY order for 50,000 shares at $0.01 will execute. :- - Original Message - From: Jeff Workman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 21, 2002 8:23 PM Subject: Act Surprised. http://biz.yahoo.com/rb/020721/worldcom_bankruptcy_16.html -- Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org
Re: GBLX router upgrade breaks bgp sessions
On Wed, Jul 10, 2002 at 09:17:56AM -0500, John Kristoff wrote: On Wed, Jul 10, 2002 at 07:04:38AM -0700, nanog wrote: Subject says it all. GBLX upgraded some edge routers to a new JunOS release (possibly 5.3 rev 24)- and now our bgp sessions continually reset with: Jul 10 06:58:24 MST: %BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/3 (update missing required attributes) 0 bytes I don't know about gblx, but I saw a problem like this at our border. After JunOS was upgraded to 5.3r2.4 (other side IOS) the session was continually being reset. The bgp session between theser two peers was setup with family inet any (for multicast peering) and when that was removed, the problem went away. I also heard about a problem that may be related I2 was having with their Juniper code, it sounded related, but I haven't investigated the details yet. John That was it- A quick TAC case later (about 10 minutes turnaround from problem submission to resolution- upgrade IOS or remove multicast from bgp peer) and the problem is fixed. I removed multicast since it was not required on this peer, and will schedule the IOS upgrade during a more friendly maintenance window. GBLX, however, has not returned my call since I opened a high priority, customer down ticket about 1.5 hours ago. Like all other support calls to their NOC, this seems to have disappeared into nevernever land. I love the GBLX network when it works, but god help you if you ever need to talk to a clueful NOC person to fix a problem (especially after hours.) bill
Re: GBLX router upgrade breaks bgp sessions
Yes, removing MBGP from the neighbor statement. Sorry for the ambiguity. bill On Wed, Jul 10, 2002 at 12:58:30PM -0400, Marshall Eubanks wrote: Can you provide any details as to why you had to remove multicast - do you mean, remove MBGP ? Or is there more? nanog wrote: On Wed, Jul 10, 2002 at 09:17:56AM -0500, John Kristoff wrote: On Wed, Jul 10, 2002 at 07:04:38AM -0700, nanog wrote: Subject says it all. GBLX upgraded some edge routers to a new JunOS release (possibly 5.3 rev 24)- and now our bgp sessions continually reset with: Jul 10 06:58:24 MST: %BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/3 (update missing required attributes) 0 bytes I don't know about gblx, but I saw a problem like this at our border. After JunOS was upgraded to 5.3r2.4 (other side IOS) the session was continually being reset. The bgp session between theser two peers was setup with family inet any (for multicast peering) and when that was removed, the problem went away. I also heard about a problem that may be related I2 was having with their Juniper code, it sounded related, but I haven't investigated the details yet. John That was it- A quick TAC case later (about 10 minutes turnaround from problem submission to resolution- upgrade IOS or remove multicast from bgp peer) and the problem is fixed. I removed multicast since it was not required on this peer, and will schedule the IOS upgrade during a more friendly maintenance window. GBLX, however, has not returned my call since I opened a high priority, customer down ticket about 1.5 hours ago. Like all other support calls to their NOC, this seems to have disappeared into nevernever land. I love the GBLX network when it works, but god help you if you ever need to talk to a clueful NOC person to fix a problem (especially after hours.) bill -- Regards Marshall Eubanks T.M. Eubanks Multicast Technologies, Inc 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : [EMAIL PROTECTED] http://www.multicasttech.com Test your network for multicast : http://www.multicasttech.com/mt/ Status of Multicast on the Web : http://www.multicasttech.com/status/index.html
[no subject]
-Envelope-To: [EMAIL PROTECTED] Date: Thu, 27 Jun 2002 22:08:37 + (GMT) From: Hermann Wecke [EMAIL PROTECTED] To: nanog [EMAIL PROTECTED] Subject: Re: How do I log on while in flight? In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: [EMAIL PROTECTED] Precedence: bulk Errors-To: [EMAIL PROTECTED] X-Loop: nanog On Thu, 27 Jun 2002, David Charlap wrote: The GTE airfones installed in most large planes have data ports if you must connect a computer. But be prepared to pay a very steep per-minute charge for the connection. Expensive: US$ 2.49 per minute on United flights...
Discussion of Results
Proposal #1 (which passed by over 2/3rds - 67.9%) expresses the sense of the GA that DOC should re-bid the ICANN contract and forget ICANN completely Proposal #2 (which passed by 75%) expresses to ICANN the desire that they reform in a meaningful way, and if they don't, that the DOC should replace ICANN. Interesting AGN Domain Name Services, Inc http://www.adns.net Since 1995. The Registry for .AMERICA, .EARTH, .LION, .USA and .Z Define yourself or Be Defined. Censorship-free GA list at : http://dns-o.org/mailman/listinfo/ga
Re: UUNET instability?
I tried to get a couple of messages to the list earlier, but I guess the problems stop it. -- Forwarded message -- Date: Thu, 25 Apr 2002 10:07:37 -0400 (EDT) From: James S. Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Problems with UUNet backbone Maybe this is unrelated, but myself and some other collegues I've contact by phone just in the past few minutes have noticed some connectivity problems with the Worldcom backbone. Particularly, some routers on 152.63.131.0 seem to be down. The result is I can't get to the root name servers. I've tried tracerouting to all 13 root name server and I can only get to 3. The traceroutes all die in the block I mentioned about. Anybody else noticing this? Can anybody responsible for the IP block confirm? On Thu, 25 Apr 2002, Streiner, Justin wrote: Anyone else seeing routing instability through UUNET or have any more details? I saw a significant drop in my inbound and outbound traffic to them around 10:00AM EDT. UUNET has a prompt on their phone menus about network instability, but didn't elaborate. Their NOC doesn't have any more details as of yet that they're passing along. jms --
DNS-O.NET?
Is anyone aware of the significance of the domain dns-o.net in China. I just registered this domain for another purpose and pointed it to an empty website for now and the log file is full of what appear to be requests for random URLs (mostly for banners .gifs, etc). I'm just curious if anyone knows the history of that domain. AGN Domain Name Services, Inc http://www.adns.net Since 1995. The Registry for .AMERICA, .EARTH, .LION, .USA and .Z Define yourself or Be Defined. Censorship-free GA list at : http://dns-o.org/mailman/listinfo/ga
