Re: Akamai DNS Issue?
Hi, We've been seeing this too, but it looks to have been fixed from here (AS12703) as of about 2 minutes ago. Regards, Rich On Tue, 15 Jun 2004, Deepak Jain wrote: We're seeing it too. Has AKAM lost any key talent that kept them straight until a few weeks ago? Isn't this the second issue to hit Nanog in as many months? DJ Blaine Christian wrote: Can someone confirm from another location? Comments from Akamai? Google appears to be having DNS issues in several places... Luckily my internal network cache appears to remain viable. I can not resolve google from home using a more production set of DNS servers nor can a buddy of mine who hangs off of Verio. If you want some google IPs here is what is in my cache at work... Non-authoritative answer: Name:www.google.akadns.net Addresses: 216.239.51.147, 216.239.51.99, 216.239.51.104 Aliases: www.google.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leo Bicknell Sent: Tuesday, June 15, 2004 9:09 AM To: [EMAIL PROTECTED] Subject: Akamai DNS Issue? x -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org -- Virus scanned by edNET.
Re: Any 1U - 2U Ethernet switches that can handle 4K VLANs?
On Sun, 25 Jan 2004, Jeff Kell wrote: We're running 30 SVIs on a 3550-12 (only 10 active at the moment, we're in a transition). It is an aggregation switch that feeds back via L3. According to the documentation on the Cisco site: http://www.cisco.com/warp/public/473/145.html The 3550-12 is only capable of handling 16 SVIs in hardware (regardless of SDM template), after that you get into resource exhaustion which means it add the SVIs, but will go back to software/CPU-based routing. Does the 3550/3750 give any indication that it's in this state (software routing) other than melting under high traffic volumes? We're currently waiting on Cisco getting back to us on figures for the 3750, but given that it has a similar TCAM setup to the 3550-12, I'd doubt it would be different. Rich
Wirespeed 24-port L3 switches
Hi all, We're looking at L3 switches which have decent L3 packet forwarding performance (wirespeed if possible), a reasonable amount of L4 ACLs/ACEs (an average of at least 80 per port) and comes in a 24-port 10/100 port package with a couple of GBIC slots for uplinking to the core network. OSPF, but no BGP. We've looked at the Cisco 3550-24, but they seem to have resource exhaustion issues[1] if you create more than 8 SVI's (i.e. it goes back to software routing). Extreme 200 switches look OK, but are limited to about 1000 ACE[2] (averages 32 rules per port). Allied Telesyn's 8800/Rapier series currently only manage half that figure in hardware and don't support UDP/TCP port ranges in a single ACE[3]. Are our expectations of a 24-port switch too high? Would it be better to move over to higher density switches and put in large amounts of underfloor cabling in large installations and keep putting separate routers and switches into the smaller locations (100 ports)? Or are L3 switches not a mature product and we should all stick to using switches for L2 and have L3+ dealt with by dedicated routers for the time being? Cheers, Rich [1] http://www.cisco.com/warp/public/473/145.html [2] http://www.extremenetworks.com/libraries/prodpdfs/products/summit200_24_48.asp [3] They do support ranges, but a rule to cover a single range may require multiple ACEs.
Re: ethernet-based temperature sensors
On Wed, 3 Sep 2003, matthew zeier wrote: I know this has been mentioned before, but other than NetBotz (too pricey), what are people use as ethernet-based, SNMP-probable temp sensors? http://www.jacarta.co.uk Rich
GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
On Wed, 27 Aug 2003, [EMAIL PROTECTED] wrote: We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. We've noticed that one of our upstreams (Global Crossing) has introduced ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings through them look awful (up to 60% apparent packet loss). After contacting their NOC, they said that the directive to install the ICMP rate limiting was from the Homeland Security folks and that they would not remove them or change the rate at which they limit in the foreseeable future. What are other transit providers doing about this or is it just GLBX? Cheers, Rich
Windows update down again?
Hi all, I was just updating a couple of Windows machines and had been using Windows Update without any problems until about 5 mins ago (22:10 GMT) when I've started getting this: Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. The latest version of Windows Update is available on computers that are running Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 (except Windows 2000 Datacenter Server), Windows XP, and the Windows Server 2003 family. URL is http://v4.windowsupdate.microsoft.com/default.asp which redirects to http://v4.windowsupdate.microsoft.com/en/thanks.asp. Also happens for http://windowsupdate.microsoft.com/. This is from multiple machines running Windows 2000 (Pro and Server) and Windows 2003 server. Anyone else seeing this yet? Does anyone know of an alternative URL for Windows Update in the meantime? Rich
Re: Windows update down again?
It's just come back now. Must have been a temporary holding page while they did some maintenance. On Sun, 17 Aug 2003, [EMAIL PROTECTED] wrote: Hi all, I was just updating a couple of Windows machines and had been using Windows Update without any problems until about 5 mins ago (22:10 GMT) when I've started getting this: Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. The latest version of Windows Update is available on computers that are running Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 (except Windows 2000 Datacenter Server), Windows XP, and the Windows Server 2003 family. URL is http://v4.windowsupdate.microsoft.com/default.asp which redirects to http://v4.windowsupdate.microsoft.com/en/thanks.asp. Also happens for http://windowsupdate.microsoft.com/. This is from multiple machines running Windows 2000 (Pro and Server) and Windows 2003 server. Anyone else seeing this yet? Does anyone know of an alternative URL for Windows Update in the meantime? Rich -- Virus scanned by edNET.
RE: How much longer..
On Thu, 14 Aug 2003, St. Clair, James wrote: Cars did not become more popular because owners had to learn how to swap more parts. The good ole computers as cars metaphor. In the UK: 1) In order to drive a car, you have to have a license. 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. Neither of these rules currently apply to computers. Maybe they should. Rich
RE: How much longer..
On Thu, 14 Aug 2003, St. Clair, James wrote: I've lived in the UK, and never had a license to maintain or update the engine. See point number 2: 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. The computers as cars analogy applies to commoditization of a utility. A computer is a computer. Analogies like this only serve to add to the confusion. Rich
Re: WANTED: ISPs with DDoS defense solutions
On Wed, 30 Jul 2003, Mike Tancsa wrote: I recall one of our users was involved in a DoS once a few years back when the giant pings could crash MS boxes. The fact that his perceived anonymity was removed was enough to keep him from repeating his attacks That's the heart of the problem. Anyone who's owned enough boxes can sit there happily running a DDoS anonymously against a target because: 1) The OS/software/default settings for a lot of internet connected machines are weak, making it easy to attack from multiple locations. 2) A lot of networks have no customer or egress filtering and make it a lot more difficult to trace DDoS traffic because it generally uses faked source addresses. If these issues are addressed then it becomes a lot harder to remain anonymous and starting DDoS attacks against targets that can trace you becomes a lot less attractive. Cheers, Rich
Re: source filtering (Re: rfc1918 ignorant)
On Wed, 23 Jul 2003, Jared Mauch wrote: I think you'll see more and more networks slowly over time move closer to bcp38. Is there anywhere that this is recorded? It would be interesting to see what the actual state of play on implementation of BCP38 was. I believe that ATT is the only tier-1 provider that is in full compliance with this. We've asked other tier-1's about BCP38 and were completely underwhelmed by the response. If you believe in the BCPs then I guess you just have to vote with your feet and try to use transit providers which comply with them. We've been trying to get transit from ATT in London for a while now, but they're obviously spending all their efforts on blocking RFC1918 traffic rather than talking to prospective customers. :-S Rich
re: rfc1918 ignorant
On Wed, 23 Jul 2003, Dave Temkin wrote: Is this really an issue? So long as they're not advertising the space I see no issue with routing traffic through a 10. network as transit. If you have no reason to reach their router directly (and after Cisco's last exploit, I'd think no one would want anyone to reach their router directly :-) ), what's the harm done? If Frank's seeing the IP in his traceroute then the network concerned isn't properly filtering traffic leaving their borders as per BCP38: http://www.faqs.org/rfcs/bcp/bcp38.html Rich
Re: BTinternet problems?
On Thu, 19 Jun 2003, Mike wrote: I have sent mail to every address @BT that looks like it might possess clue, to no avail. This is a general plea for help- if anyone has an idea of how I might resolve this, I would be very grateful... Point the customer at www.traceroute.org? HTH, Rich
Re: Risk of Internet collapse grows
On Wed, 27 Nov 2002, David Diaz wrote: I think this is old news. There was a cover story back in 1996 time frame on Mae_east. We have to ask how likely is this with many of the top backbones doing private peering over local loops, how much damage would occur if an exchange point where hit? It depends which exchange point is hit. There are a couple of buildings in London which if hit would have a disasterous affect on UK and European peering. What about fibre landing stations? Are these diverse enough? Again, most of the transatlantic fibre (for the UK) appears to come in near Lands End. Rich
Re: Odd DDoS, anyone else seen this?
On Mon, 25 Nov 2002, Stephen J. Wilcox wrote: We saw many hundred thousand packets per second entering our network from various international peers, each packet was tcp destined to a single real end user IP address and sourced from a /16 network address eg 61.254.0.0, where the src was random and different on each packet but always x.x.0.0 Yes. We've asked all our upstreams to block it completely (with varying degrees of success from it being permenantly blocked at their borders to we can't apply filters on your interface). For Junos (I was informed that this is only available in 5.5), you can filter using: 0.0.0.0/0.0.255.255 On a cisco you can block using: deny ip 0.0.0.0 255.255.0.0 any I was unable to find out more about the data within the packet, the sheer volume made diagnosis impossible without killing the routers. Looked just like a regular SYN flood to the target IP. Not sure why they picked source addresses that were so obviously bogus though. Can anyone think of a reason why this sort of traffic should be routed at all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? Rich
Re: Odd DDoS, anyone else seen this?
On Mon, 25 Nov 2002, Chris Roberts wrote: Yer, some dial providers that I've seen do it to make use of these addresses, as x.x.x.0/32 is a perfectly valid host address. I've seen this too. Dialup boxes that use dynamic pools prefer them to start on a subnet boundry so that they can announce a single aggregate route for the whole pool. However we ran into problems with using x.x.x.0 before (think it was a broken TCP/IP from some vendor or another) and so we moved the dynamic pools further up the subnet. Rich
no ip forged-source-address
Hi, I've been following the discussion on DDoS attacks over the last few weeks and our network has also recently been the target of a sustained DDoS attack. I'm not alone in believing that source address filters are the simplest way to prevent the types of DDoS traffic that we have all been seeing with increasing regularity. Reading the comments on this list have lead me to believe that there is a lot of inertia involved in applying what appears to me as very simple filters. As with the smurf attacks a few years ago, best practice documents and RFC's don't appear to be effective. I realise that configuring and applying a source address filter is trivial, but not enough network admins seem to be taking the time to lock this down. If the equipment had sensible defaults (with the option to bypass them if required), then perhaps this would be less of an issue. Therefore, would it be a reasonable suggestion to ask router vendors to source address filtering in as an option[1] on the interface and then move it to being the default setting[2] after a period of time? This appeared to have some success with reducing the number of networks that forwarded broadcast packets (as with no ip directed-broadcast). Just my $0.02, Richard Morrell edNET [1] For example, an IOS config might be: interface fastethernet 1/0 no ip forged-source-address [2] Network admins would still have the option of turning it off, but this would have to be explicitly configured.
