Re: facebook worm

[Gadi Evron]

[top-posting]

Now that this worm has been somewhat balked, I'd like to thank the 
membership for your patience with this off-topic post. I realize it is 
probably as annoying to some as it was useful to others.


My thinking was that on the rare occasion when we can anticipate 
*possible* and *serious* floods and bottle-necks at ISP tech-support 
lines, across multiple providers and regions, we should share that 
information. NANOG remains the best place for such information 
sharing.


While I realize this mailing list is mostly about network operations and 
less about ISP operations, we had a discussion in the past where we have 
seen some in our community do use this information effectively and find 
it useful.


This is a rare occasion indeed, but an explanation and an apology were in 
order.


Thank you,

Gadi.


On Wed, 6 Aug 2008, Gadi Evron wrote:

Hi all. You may want to be ready for a *possible* support lines flood today.

Yesterday I discovered a fast-spreading facebook worm. It spreads by sending 
messages to all your facebook friends, from your account, asking them to 
click on a link in the .pl ccTLD.


This worm is somewhat similar to zlob, here is a link to a kaspersky paper on 
a previous iteration of it, they call it koobface:

http://www.kaspersky.com/news?id=207575670

The worm collects spam subject lines from, and then sends the users personal 
data to the following C&C:

zzzping.com

I spoke with DirectNIC last night and the Registrar Operations (reg-ops) 
mailing list was updated that the domain is no longer reachable. That was 
very fast response time from DirectNIC, which we appreciate.


The worm is still fast-spreading, watch the statistics as they fly:
http://www.d9.pl/system/stats.php

The facebook security team is working on this, and they are quite capable. 
The security operations community has been doing analysis and take-downs, but 
the worm seems to still be spreading.


All anti virus vendors have been notified, and detection (if not removal) 
should be added within a few hours to a few days.


For now, while users may get infected, their information is safe (unless the 
worm has a secondary contact C&C which I have not verified yet).


It seems like some users may have learned not to click on links in email, but 
any other medium does not compute.


Gadi.

Re: facebook worm

[Paul Wall]

Gadi,

Please take a few moments to reflect on:

http://www.nanog.org/endsystem.html

I'd appreciate it if you'd try and keep future off-topic postings like
this to a minimum, as it makes the list difficult to wade through to
get to what matters.

Regards,
Paul (not currently MLC, though I promise to put you in your place
once the SC affords me the privlege :)

On Thu, Aug 7, 2008 at 12:44 AM, Gadi Evron <[EMAIL PROTECTED]> wrote:
> Hi all. You may want to be ready for a *possible* support lines flood today.
>
> Yesterday I discovered a fast-spreading facebook worm. It spreads by sending
> messages to all your facebook friends, from your account, asking them to
> click on a link in the .pl ccTLD.
>
> This worm is somewhat similar to zlob, here is a link to a kaspersky paper
> on a previous iteration of it, they call it koobface:
> http://www.kaspersky.com/news?id=207575670
>
> The worm collects spam subject lines from, and then sends the users personal
> data to the following C&C:
> zzzping.com
>
> I spoke with DirectNIC last night and the Registrar Operations (reg-ops)
> mailing list was updated that the domain is no longer reachable. That was
> very fast response time from DirectNIC, which we appreciate.
>
> The worm is still fast-spreading, watch the statistics as they fly:
> http://www.d9.pl/system/stats.php
>
> The facebook security team is working on this, and they are quite capable.
> The security operations community has been doing analysis and take-downs,
> but the worm seems to still be spreading.
>
> All anti virus vendors have been notified, and detection (if not removal)
> should be added within a few hours to a few days.
>
> For now, while users may get infected, their information is safe (unless the
> worm has a secondary contact C&C which I have not verified yet).
>
> It seems like some users may have learned not to click on links in email,
> but any other medium does not compute.
>
>Gadi.
>
>

Re: Is it time to abandon bogon prefix filters?

[Rob Thomas]

This is scanning of darknets - usually you're interested in what comes 
back, i.e. can you 0wn it?  so src has to be valid.


Yep yep.

--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

Re: Is it time to abandon bogon prefix filters?

[Rob Thomas]

Hey, Randy.


this is an extremely far cry from 60%.  what am i not understanding?


There are a few factors at work here.

One, the 60% figure was from 2001-03-16.  There were more bogons then, 
and our sundry measures saw a lot more malevolence from bogon space.


A popular belief in the underground in 2001 was that spoofing in 
general, and the use of bogon space specifically, added a layer of 
protection for their collections of compromised hosts.  In the age of 
masses of compromised routers, servers, and workstations, that's no 
longer a necessary defensive measure.  At circa US $.04 each, bots are 
easily replaced.  Compromised routers don't cost much more than that.


Two, we really can't compare the two (time issues aside).  The 60% 
figure came from a study of a frequently (as in daily) attacked web 
site.  The figures I shared today came from our Darknets, which are more 
global and not limited to a certain type of service or site owner.


Third, that site has been split into multiple sites (after about 2005) 
so unfortunately I can't easily reproduce the study from 2001.  That is 
a real bummer.


So I'm not comparing apples and apples.

We also track DDoS attacks, malware propagation, and other Internet 
malevolence.  As a shot from the hip, I'll say we see very little abuse 
from bogon IP space.  I won't say we see no abuse from bogon space, 
however, so we keep bogons automatically filtered on our border.  I like 
to keep the online criminal toolkit as sparse as I can.  :)



and can you separate reserved (127, ...) and unallocated?


I can indeed, though it'll take me a bit to do so.  Again, stay tuned.

Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

Re: Is it time to abandon bogon prefix filters?

[Niels Bakker]

* [EMAIL PROTECTED] (Randy Bush) [Fri 08 Aug 2008, 00:59 CEST]:

rob,
If the source of a scan or probe is a bogon, we tag it that way in our 
data store.  I went back to 2008-01 and found the following percentages 
of bogons in our data:

[..]

   2008-08: 0.001258054% (thus far)


this is an extremely far cry from 60%.  what am i not understanding?

and can you separate reserved (127, ...) and unallocated?


This is scanning of darknets - usually you're interested in what comes 
back, i.e. can you 0wn it?  so src has to be valid.


(D)DoS of course are much more likely to come closer to the 60% number. 
No need to get the SYN+ACKs or the ICMP echo replies back...



-- Niels.

Re: Is it time to abandon bogon prefix filters?

[Randy Bush]

rob,

> If the source of a scan or probe is a bogon, we tag it that way in our
> data store.  I went back to 2008-01 and found the following percentages
> of bogons in our data:
> 
>2008-01: 0.001095262%
>2008-02: 0.001759343%
>2008-03: 0.001619555%
>2008-04: 0.001433908%
>2008-05: 0.001182351%
>2008-06: 0.130534559%
>2008-07: 0.002327683%
>2008-08: 0.001258054% (thus far)

this is an extremely far cry from 60%.  what am i not understanding?

and can you separate reserved (127, ...) and unallocated?

randy

Re: Is it time to abandon bogon prefix filters?

[Rob Thomas]

I guess I parsed that differently than you did.  When he said "fully 60% 
of the naughty packets were obvious bogons", I read that as meaning 60% 
of all bad packets (bogon-sourced or otherwise) were from bogon space.


That's correct.

--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

Re: Is it time to abandon bogon prefix filters?

[Patrick W. Gilmore]

On Aug 7, 2008, at 5:35 PM, Robert E. Seastrom wrote:

Randy Bush <[EMAIL PROTECTED]> writes:

How much does it help to filter the bogons? In one study  
conducted by

Rob Thomas of a frequently attacked site, fully 60% of the naughty
packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.)


Stated another way, you can get 60% success on bogon filtering by
ignoring the free pool


if 127.1.2.3 and 0.5.4.3 are in the free pool, we have a few more / 
8s in

the bank then we thought, eh? :)


I guess I didn't really word that clearly.

My point was that by not including the free pool in your candidates
for filtering (i.e., only filtering out packets from addresses that
will never be allocated or are permanently reserved such as 1918
space), you're only sacrificing 40% of your likely hits...  and that
number is going down over time.  Why not just cut to the chase and
make a filter that will never go stale, take any possible lumps on the
bogus packet announcement side, and collect handsomely on the
operational side?


I guess I parsed that differently than you did.  When he said "fully  
60% of the naughty packets were obvious bogons", I read that as  
meaning 60% of all bad packets (bogon-sourced or otherwise) were from  
bogon space.


If my interpretation is correct, you cannot tell anything about which  
% was from permanently bad space vs. unallocated space.


Rob T., could you clarify for us please?


Also, filtering bogons has the same utility / dangers of MD5.  Many  
people think MD5 is a "good thing", even though the amount of downtime  
caused by it is (at least) several orders of magnitude larger than the  
amount of downtime caused by successful RST attacks.  I think the  
danger outweighs the benefit.  If you are arguing the same thing here,  
that's fine with me.  But let's find out what the danger is and make  
the decision.  Oh, and then everyone should take their own advice and  
de-configure MD5. :-)


--
TTFN,
patrick

Re: Is it time to abandon bogon prefix filters?

[Patrick W. Gilmore]

[Just a correction because Randy attributed something to me that I  
didn't do.]


On Aug 7, 2008, at 4:14 PM, Randy Bush wrote:

btw, patrick neglected the last sentences of that paragraph, which  
made
me wonder what rob would actually say.  luckily, in response to my  
post,

rob replied that he/they would try to get some useful measures in the
near term.  i am patient.


_patrick_ did not cut anything from that paragraph.  Check the  
archives, the whole paragraph is in my post.  Rob Seastrom cut  
patrick's quote off when he replied.


--
TTFN,
patrick

RE: was bogon filters, now "Brief Segue on 1918"

[Darden, Patrick S.]

Hi Jay,

Jay Ashworth:
> Sure.  And he's not always right either; none of us are.
> But he gave cogent arguments to support his point, and you gave us

He gave good arguments.  You, however, did not.

> None of which amounts to "wants to hurt people", which is what you
>accused him of.

I was out of line here.  I apologize to Michael.  I don't think he
took offense, but if he did I genuinely regret it.

> And yet I see tha tyou don't yourself bother to try to prove your
> argument; you merely continue to go after Michael and I on peripheral
>points.  No pun intended.

Didn't have to: you didn't address anything other than personal or
peripheral stuff.

> Sure.  Online coke machines are just about as cool as coffee-pot
> webcams.

They were in 1995.  Back when the first one went online.  That was
too cool for me to express.


> But they're orthogonal to the discussion that was at hand, and your
> returning to that well in the middle of a serious discussion suggests
> that you, yourself, are not all that serious.

Or perhaps that I was trying to cool the discussion down a bit.  I had
already tried to bring it to a close once  It was an extended hyperbole
of ridiculousness.  Soda machines.  Mm.


> Once is tongue in cheek.
> Twice or three times is dilettante.

No, I think it just proves that saying the same stupid joke three
times doesn't make it funny.  Doesn't mean I am a dilettante
network operator.  Just means I'm not funny.  ;-)


> I don't know, Patrick; you seem to be the one emotionalizing the
> argument.

Yeah, I have a sharp tongue too.  And I am a dillettante.  And everything
I say is just so cute and precious.  And I am Wrong.

> I'm out of this one though; we are certainly out of AUP.

I'm with you on this, for sure.  If you want to address me off-list
please feel free.
--Patrick Darden

Re: Is it time to abandon bogon prefix filters?

[Rob Thomas]

Hi, NANOG (he says with a shout)!


btw, patrick neglected the last sentences of that paragraph, which made
me wonder what rob would actually say.  luckily, in response to my post,
rob replied that he/they would try to get some useful measures in the
near term.  i am patient.


Yep yep, have some results at last.  Sorry, the queries took a bit 
longer than planned.


Note that the study I conducted which populated the "60 Days of Basic 
Naughtiness" presentation is now years old.  Such studies, like me, 
don't necessarily age well.  :)


This is not meant to replace a more comprehensive and clueful study by 
the likes of Vern, Stefan, and the CAIDA crew.  As folks may know we 
have a large Darknet[1] project.  In there we collect the scanning 
activity of malware, backscatter, and the like.  Often we can tie the 
scanning pattern to a family of malware or maltool.


If the source of a scan or probe is a bogon, we tag it that way in our 
data store.  I went back to 2008-01 and found the following percentages 
of bogons in our data:


   2008-01: 0.001095262%
   2008-02: 0.001759343%
   2008-03: 0.001619555%
   2008-04: 0.001433908%
   2008-05: 0.001182351%
   2008-06: 0.130534559%
   2008-07: 0.002327683%
   2008-08: 0.001258054% (thus far)

That's not a lot of bogon activity in the Darknets, though Darknets are 
only one measure of malevolent traffic.  Your mileage may vary, etc.


   [1] 

Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

Re: IPv6 bogons/unallocated space list?

[Rob Thomas]

Is there such a beast yet? I didn't see anything on the CYMRU page (so 
its either completely obvious, or not there).


It's not easily located, but it does exist:

   
   
   

It is maintained by Team 6Bogon <6bogon at inetcore.com>.  We and they 
would LOVE to have your feedback!



--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

Re: IPv6 bogons/unallocated space list?

[Arnold Nipper]

On 07.08.2008 23:28 Deepak Jain wrote

Is there such a beast yet? I didn't see anything on the CYMRU page (so 
its either completely obvious, or not there).


Given the shrinking use of IPv4 bogon lists and the increasing need of a
well-updated IPv6 one, I figured I'd ask.



http://www.space.net/~gert/RIPE/ipv6-filters.html should be fairly up to 
 date.




Arnold
--
Arnold Nipper, AN45



signature.asc
Description: OpenPGP digital signature

Re: Is it time to abandon bogon prefix filters?

[Robert E. Seastrom]

Randy Bush <[EMAIL PROTECTED]> writes:

>>> How much does it help to filter the bogons? In one study conducted by
>>> Rob Thomas of a frequently attacked site, fully 60% of the naughty
>>> packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.)
>>
>> Stated another way, you can get 60% success on bogon filtering by
>> ignoring the free pool
>
> if 127.1.2.3 and 0.5.4.3 are in the free pool, we have a few more /8s in
> the bank then we thought, eh? :)

I guess I didn't really word that clearly.

My point was that by not including the free pool in your candidates
for filtering (i.e., only filtering out packets from addresses that
will never be allocated or are permanently reserved such as 1918
space), you're only sacrificing 40% of your likely hits...  and that
number is going down over time.  Why not just cut to the chase and
make a filter that will never go stale, take any possible lumps on the
bogus packet announcement side, and collect handsomely on the
operational side?

> btw, patrick neglected the last sentences of that paragraph, which made
> me wonder what rob would actually say.  luckily, in response to my post,
> rob replied that he/they would try to get some useful measures in the
> near term.  i am patient.

I read that thrice and thought "wtf?" twice, until I properly
dereferenced "rob" to "robt", not "rs".  Heh.

> but your post makes me inclined to beg that he/that he have a few taxa
> within the bogon space.

Come, come, elucidate your thoughts.

-r

IPv6 bogons/unallocated space list?

[Deepak Jain]

Is there such a beast yet? I didn't see anything on the CYMRU page (so 
its either completely obvious, or not there).


Given the shrinking use of IPv4 bogon lists and the increasing need of a
well-updated IPv6 one, I figured I'd ask.

thanks,

Deepak

Excessive Latency on Verio backbone

[Fouant, Stefan]

Is there something going on In Verio's backbone this afternoon?  It seems I am 
getting excessive latency between two of my sites which are directly connected 
through AS 2914: 

 

rtrpxny> traceroute 140.174.21.x as-number-lookup 

traceroute to 140.174.21.x (140.174.21.x), 30 hops max, 40 byte packets

 1  129.250.192.89 (129.250.192.89) [AS  2914]  0.762 ms  0.513 ms  0.589 ms

 2  ae-1.r21.nycmny01.us.bb.gin.ntt.net (129.250.2.220) [AS  2914]  0.622 ms  
0.554 ms  0.594 ms

 MPLS Label=127664 CoS=0 TTL=1 S=1

 3  p64-2-0-0.r20.chcgil09.us.bb.gin.ntt.net (129.250.5.4) [AS  2914]  28.434 
ms  28.430 ms  28.880 ms

 MPLS Label=326737 CoS=0 TTL=1 S=0

 MPLS Label=102000 CoS=0 TTL=1 S=1

 4  ae-0.r21.chcgil09.us.bb.gin.ntt.net (129.250.3.98) [AS  2914]  28.965 ms  
28.551 ms  28.545 ms

 MPLS Label=468133 CoS=0 TTL=1 S=0

 MPLS Label=102000 CoS=0 TTL=2 S=1

 5  p64-7-0-3.r20.snjsca04.us.bb.gin.ntt.net (129.250.5.20) [AS  2914]  88.941 
ms  88.935 ms  88.968 ms

 MPLS Label=144065 CoS=0 TTL=1 S=0

 MPLS Label=102000 CoS=0 TTL=3 S=1

 6  ae-1.r21.plalca01.us.bb.gin.ntt.net (129.250.5.32) [AS  2914]  89.777 ms  
89.894 ms  89.885 ms

 MPLS Label=102000 CoS=0 TTL=1 S=1

 7  xe-4-1.r04.plalca01.us.bb.gin.ntt.net (129.250.4.122) [AS  2914]  201.308 
ms  213.554 ms  211.560 ms

ß output truncated à

 

Stefan Fouant

Principal Network Engineer

NeuStar, Inc. - http://www.neustar.biz

GPG Key ID: 0xB5E3803D

 

Re: was bogon filters, now "Brief Segue on 1918"

[Jay R. Ashworth]

On Thu, Aug 07, 2008 at 03:55:13PM -0400, Patrick Darden wrote:
> Jay R. Ashworth wrote:
> >You really think Michael is malicious in his intent?
> >You've spent a whole lot of time paying now attention around here,
> >haven't you?
> 
> I think Michael tends to get confrontational.  As, apparently, do you.  

Sure.  And he's not always right either; none of us are.

But he gave cogent arguments to support his point, and you gave us
coke machines -- worse, *accused him*, backhandedly, of leaving space
for coke machines.  See below.

> I'm on a lot of the same lists Michael is on.  Have been since 1997.  I 
> have a lot of respect for him, with reservations gathered from 
> experience.  He is sharp, and he has a sharp tongue.

None of which amounts to "wants to hurt people", which is what you
accused him of.

> >No, cute soundbites don't make you an expert.
> >
> >But in this case, Dillon's right, and you're wrong: your attempt to
> >trivialize the specific issue on point (allocation within the 1918
> >space internal to a company network) by implying that the only reasons
> >to do it the way he suggests amount to "leaving space for soda
> >machines" only proves in public that you don't know what you're talking
> >about.
>
> No, you are wrong.  Your attempt to trivialize what I have to say by 
> calling it cute only proves that you don't know what you are talking 
> about.  Bad logic, isn't it?  Statement that you are wrong, then 
> "proving it" with nonsense addressing someone's character without 
> addressing the point

And yet I see tha tyou don't yourself bother to try to prove your
argument; you merely continue to go after Michael and I on peripheral
points.  No pun intended.

> Your mislabelling my tongue-in-cheek ongoing obsession with soda 
> machines as Trivializing only proves you have no sense of humor.  I 
> remember when some kids at MIT first put their dorm's soda machine on 
> the internet.  Man that was cool.  You could ping it and find out how 
> many cokes were left, and their temperature

Sure.  Online coke machines are just about as cool as coffee-pot
webcams.

But they're orthogonal to the discussion that was at hand, and your
returning to that well in the middle of a serious discussion suggests
that you, yourself, are not all that serious.

Once is tongue in cheek.

Twice or three times is dilettante.

> >As randy would put it, I encourage my competitors to hire you to
> >architect their WANs.
> 
> Thank you.  Your bile does you credit.

I don't know, Patrick; you seem to be the one emotionalizing the
argument.

I'm out of this one though; we are certainly out of AUP.

Cheers,
-- jra
-- 
Jay R. Ashworth   Baylink  [EMAIL PROTECTED]
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

 Those who cast the vote decide nothing.
 Those who count the vote decide everything.
   -- (Josef Stalin)

Re: was bogon filters, now "Brief Segue on 1918"

[Patrick Darden]

Hi Jay,

Jay R. Ashworth wrote:

You really think Michael is malicious in his intent?
You've spent a whole lot of time paying now attention around here,
haven't you?

  


I think Michael tends to get confrontational.  As, apparently, do you.  
I'm on a lot of the same lists Michael is on.  Have been since 1997.  I 
have a lot of respect for him, with reservations gathered from 
experience.  He is sharp, and he has a sharp tongue.



No, cute soundbites don't make you an expert.

But in this case, Dillon's right, and you're wrong: your attempt to
trivialize the specific issue on point (allocation within the 1918
space internal to a company network) by implying that the only reasons
to do it the way he suggests amount to "leaving space for soda
machines" only proves in public that you don't know what you're talking
about.

  
No, you are wrong.  Your attempt to trivialize what I have to say by 
calling it cute only proves that you don't know what you are talking 
about.  Bad logic, isn't it?  Statement that you are wrong, then 
"proving it" with nonsense addressing someone's character without 
addressing the point


Your mislabelling my tongue-in-cheek ongoing obsession with soda 
machines as Trivializing only proves you have no sense of humor.  I 
remember when some kids at MIT first put their dorm's soda machine on 
the internet.  Man that was cool.  You could ping it and find out how 
many cokes were left, and their temperature



As randy would put it, I encourage my competitors to hire you to
architect their WANs.

  


Thank you.  Your bile does you credit.

--Patrick Darden

Re: Is it time to abandon bogon prefix filters?

[Randy Bush]

>> How much does it help to filter the bogons? In one study conducted by
>> Rob Thomas of a frequently attacked site, fully 60% of the naughty
>> packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.)
> Stated another way, you can get 60% success on bogon filtering by
> ignoring the free pool

if 127.1.2.3 and 0.5.4.3 are in the free pool, we have a few more /8s in
the bank then we thought, eh? :)

btw, patrick neglected the last sentences of that paragraph, which made
me wonder what rob would actually say.  luckily, in response to my post,
rob replied that he/they would try to get some useful measures in the
near term.  i am patient.

but your post makes me inclined to beg that he/that he have a few taxa
within the bogon space.

randy

Re: Out of Date Bogon Prefix

[Member Services]

The code that Randy mentioned is part of an ARIN bogon testing 
initiative. ARIN funded this work and provided equipment to Randy to 
perform this testing.


ARIN thanks Randy and those who worked with him for the effort in this area.

ARIN will deploy this code as it continues its bogon testing efforts in
the coming year.

Nate Davis
Chief Operations Officer
ARIN

Randy Bush wrote:

Switching topics only slightly: Nick, do you have any data on what parts
of the 'Net you can and cannot reach?  Perhaps take a dump of
route-views and ping some IPs in each ASN?  Shouldn't be hard to script,
and might yield useful data - both to you and the rest of us.



tee hee.  been there.  done that.  and for 173.0.0.0/20.  paper
submitted a month ago, but you saw a preso of the technique a year ago,
see .

arin has the code from us so they could put it into production if they
so chose.

randy

Re: Is it time to abandon bogon prefix filters?

[Robert E. Seastrom]

"Patrick W. Gilmore" <[EMAIL PROTECTED]> writes:

> How much does it help to filter the bogons? In one study conducted by
> Rob Thomas of a frequently attacked site, fully 60% of the naughty
> packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.)

Stated another way, you can get 60% success on bogon filtering by
ignoring the free pool (which is getting smaller over time which
indicates the value in filtering it is asymptotic to zero) and only
filtering obvious crud, whose definition is not going to change over time.

In other words, Leo is right, and I'd submit that we're past the point
where putting in non-auto-updated filters for the free pool has a
value that exceeds the operational cost of dealing with their
lossage...  by a couple of years.

-r

Re: was bogon filters, now "Brief Segue on 1918"

[Jay R. Ashworth]

On Thu, Aug 07, 2008 at 01:47:02PM -0400, Patrick Darden wrote:
> I've always enjoyed your posts Michael.  You are obviously an expert, 
> with no patience for idiocy, and you always go for the throat and try to 
> hurt the other person as much as you can.  Your messages are always very 
> entertaining.

You really think Michael is malicious in his intent?

You've spent a whole lot of time paying now attention around here,
haven't you?

> As far as companies that design their own networks so they have trouble 
> interoperating with themselves--well, bummer for them.  I bet they wish 
> they had done their design more efficiently instead of making "large 
> sprawling" networks with plenty of room for growth for soda machines.  
> Because you just can't assign enough IP address space for your soda 
> machines.
> 
> "Cute sound bites does (sic) not make you an expert in anything. "  I 
> agree with this too.   But just because it's cute, doesn't mean it's wrong.

No, cute soundbites don't make you an expert.

But in this case, Dillon's right, and you're wrong: your attempt to
trivialize the specific issue on point (allocation within the 1918
space internal to a company network) by implying that the only reasons
to do it the way he suggests amount to "leaving space for soda
machines" only proves in public that you don't know what you're talking
about.

As randy would put it, I encourage my competitors to hire you to
architect their WANs.

Cheers,
-- jra
-- 
Jay R. Ashworth   Baylink  [EMAIL PROTECTED]
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

 Those who cast the vote decide nothing.
 Those who count the vote decide everything.
   -- (Josef Stalin)

Re: Is it time to abandon bogon prefix filters?

[Patrick W. Gilmore]

On Aug 7, 2008, at 2:04 PM, Pete Templin wrote:

Patrick W. Gilmore wrote:

Filter your bogons.  But do it in an automated fashion, from a  
trusted source.
Of course, I recommend Team Cymru, which has a most sterling  
record.  Nearly perfect (other than the fact they still recommend  
MD5 on BGP sessions :).


How can you recommend Team Cymru, when their product is not in any  
way a filter?  It is merely an automated method of injecting  
aggregate null routes for bogons, but in no way prevents a network  
from accepting aggregate or specific bogon announcements (i.e. it  
does not _filter_).


HUH?

Team Cymru offers many ways to set up filters, null routes, etc.  See .


Oh, and to answer Randy's question about how much actually comes from  
bogons, on that same page:



How much does it help to filter the bogons? In one study conducted by  
Rob Thomas of a frequently attacked site, fully 60% of the naughty  
packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). A  
presentation based on that study, entitled "60 Days of Basic  
Naughtiness," can be viewed here. Your mileage may vary, and you may  
opt to filter more conservatively or more liberally. As always, you  
must KNOW YOUR NETWORK to understand the effects of such filtering.



I guess that means filtering bogons is useful.

--
TTFN,
patrick

Sprint IP engineer

[Jon Lewis]

Could a Sprintlink.net IP engineer please get in touch with me.  I'd like 
to talk about some really unusual IP routing/connectivity issues I'm 
seeing between our network and yours.


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Is it time to abandon bogon prefix filters?

[Pete Templin]

Patrick W. Gilmore wrote:

Filter your bogons.  But do it in an automated fashion, from a trusted 
source.


Of course, I recommend Team Cymru, which has a most sterling record.  
Nearly perfect (other than the fact they still recommend MD5 on BGP 
sessions :).


How can you recommend Team Cymru, when their product is not in any way a 
filter?  It is merely an automated method of injecting aggregate null 
routes for bogons, but in no way prevents a network from accepting 
aggregate or specific bogon announcements (i.e. it does not _filter_).


pt

Re: was bogon filters, now "Brief Segue on 1918"

[Patrick Darden]

I've always enjoyed your posts Michael.  You are obviously an expert, 
with no patience for idiocy, and you always go for the throat and try to 
hurt the other person as much as you can.  Your messages are always very 
entertaining.


In this case, however, you are responding to a conversation that is 
pretty much over and done.  I've already received  umpty emails telling 
me how right I am, and another umpty emails telling me I am an idiot and 
I should go back to knitting.  Most of the latter were privately sent, 
and I appreciate both their candor and discretion


The reasonable voices seem to feel that it doesn't matter if I am right, 
as the real world just doesn't care.  I have to agree with that.  That's 
kinda the whole point, I think.


The forward thinkers feel as you do that IPV6 is the real answer.  I 
believe I was the first to say that in this thread.


As far as the individual points that you satirize below--well ok then.  
We are not talking about people.  I was not the person who raised people 
as a metric.  Jump his case if you feel the need.  I was actually 
jumping his case about it myself, albeit tongue in cheek, and hopefully 
with no hard feelings.


However, the original conversation centered on  the best way to design 
private networks so that internetworking between companies who did not 
confer on eachothers' network design does not cause problems, and how 
very few companies follow RFC1918 very well in my experience.


Whether they fail at RFC1918  for real reasons or not, they still fail.

As far as companies that design their own networks so they have trouble 
interoperating with themselves--well, bummer for them.  I bet they wish 
they had done their design more efficiently instead of making "large 
sprawling" networks with plenty of room for growth for soda machines.  
Because you just can't assign enough IP address space for your soda 
machines.


"Cute sound bites does (sic) not make you an expert in anything. "  I 
agree with this too.   But just because it's cute, doesn't mean it's wrong.


--Patrick Darden



[EMAIL PROTECTED] wrote:
Your point seemed to be that 
it is not a large enough allocation of IPs for an 
international enterprise of 80K souls.  My rebuttal is: 16.5 
million IPs isn't enough?



You don't seem to understand how IPv4 networks are designed 
and how that interacts with scale, i.e. the large sprawling

networks that international enterprises have. You don't simply
count out x addresses per employee. Instead, you design a subnet
architecture that a) can grow at all levels, and b) can be
cut off the network when you sell off a branch operation or two.

This leads to large amounts of IP addresses used up in padding
at all levels, which then leads to these organizations running
out of RFC 1918 space, a more and more common occurence. This,
in itself, is a good incentive to move to IPv6, since the
seemingly wasteful subnet architecture is considered best practice
with IPv6, and a ULA prefix or two gives you lots of space to
keep growing.

  
 What are we talking 
about then?  100 IPs per person--say each person has 10 PCs, 
10 printers, 10 automated factory machines, 10 lab 
instruments, 49 servers and the soda machine on their 
network? 



Nope. We are not talking about people, but about network
architecture and topology. Two people in one office need
two addresses. Put them in separate offices and they need
two subnets. Topology dominates the design.

  
I don't think you have that many soda 
machines.  Even on 5 continents.  Even with your growing 
Asian market, your suppliers, and the whole marketing team.



I believe the first two companies to run out of RFC 1918
space (or to project that it would happen) are Comcast,
and American cable provider in one continent, and a
Japanese cable provider on a small Pacific island next
to China.

  

//Err.  Doing it wrong does not justify doing it wrong.



Cute sound bites does not make you an expert in anything.

In any case, IPv4 is yesterday's news. Nowadays everyone is
scrambling to integrate IPv6 into their networks and shift
services onto IPv6.

--Michael Dillon

  

RE: was bogon filters, now "Brief Segue on 1918"

[michael.dillon]

>Your point seemed to be that 
> it is not a large enough allocation of IPs for an 
> international enterprise of 80K souls.  My rebuttal is: 16.5 
> million IPs isn't enough?

You don't seem to understand how IPv4 networks are designed 
and how that interacts with scale, i.e. the large sprawling
networks that international enterprises have. You don't simply
count out x addresses per employee. Instead, you design a subnet
architecture that a) can grow at all levels, and b) can be
cut off the network when you sell off a branch operation or two.

This leads to large amounts of IP addresses used up in padding
at all levels, which then leads to these organizations running
out of RFC 1918 space, a more and more common occurence. This,
in itself, is a good incentive to move to IPv6, since the
seemingly wasteful subnet architecture is considered best practice
with IPv6, and a ULA prefix or two gives you lots of space to
keep growing.

>  What are we talking 
> about then?  100 IPs per person--say each person has 10 PCs, 
> 10 printers, 10 automated factory machines, 10 lab 
> instruments, 49 servers and the soda machine on their 
> network? 

Nope. We are not talking about people, but about network
architecture and topology. Two people in one office need
two addresses. Put them in separate offices and they need
two subnets. Topology dominates the design.

> I don't think you have that many soda 
> machines.  Even on 5 continents.  Even with your growing 
> Asian market, your suppliers, and the whole marketing team.

I believe the first two companies to run out of RFC 1918
space (or to project that it would happen) are Comcast,
and American cable provider in one continent, and a
Japanese cable provider on a small Pacific island next
to China.

> //Err.  Doing it wrong does not justify doing it wrong.

Cute sound bites does not make you an expert in anything.

In any case, IPv4 is yesterday's news. Nowadays everyone is
scrambling to integrate IPv6 into their networks and shift
services onto IPv6.

--Michael Dillon

Ericsson / Marconi AHX ADSL2+

[Adam Armstrong]

Hi All,

Are any of you using Marconi/Ericsson AXH 2500 (or similar) MSANs for 
ADSL2+?


Does anyone know much about setting up ADSL2+ to operate stabily with 
fastpath (trellis off) and adaptive runtime on?


Any offlist help would be much appreciated!

Thanks,
adam.