Re: d000::/8 from AS28716

2010-01-11 Thread Pierfrancesco Caci 
:-> "Chuck" == Chuck Anderson  writes:

> d000::/8   *[BGP/170] 01:08:26, MED 760, localpref 200
>   AS path: 30071 6762 28716 I
>> to 2001:4830:e1:10::1 via ge-0/0/0.593

I fail to see how this could have gone through this:

ipv6 prefix-list AS28716-V6-IN: 1 entries
   seq 5 permit 2001:1BD0::/32

unless "Every IPv6 prefix list, including prefix lists that do not
have any permit and deny condition statements, has an implicit deny
any any statement as its last match condition" is not true for this
particular IOS release, or the router just went nuts.

Maybe next time drop me a line when it's happening, I don't see the
route from the customer now. 

Pf


-- 


---
 Pierfrancesco Caci | Network & System Administrator - INOC-DBA: 6762*PFC
 p.c...@seabone.net | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/

Re: d000::/8 from AS28716

2010-01-11 Thread Andree Toonk 
.-- My secret spy satellite informs me that at Mon, 11 Jan 2010, Mark Jackson 
wrote:

> I'd say that is a bogus route/AS announcement.
> I see nothing in the address assignment for that. But I see traffic
> started originating around 12/15/2009.

Actually d000::/8 has been around for 2 months already (2009-11-13 08:24:46).
Also see:
http://www.bgpmon.net/showbogons.php?inet=6

Cheers Andree

Re: d000::/8 from AS28716

2010-01-11 Thread Steve Bertrand 
Mark Jackson wrote:
> I'd say that is a bogus route/AS announcement.
> I see nothing in the address assignment for that. But I see traffic
> started originating around 12/15/2009.

I envision that work will be done in this regard shortly.

God willing, our RIRs will be handing out prefixes to everyone from
blocks that are specifically designed for 'that purpose'.

It's interesting to know that since we are so virgin v6, that the RIRs
should have no problem shelving up address space into an
easy-to-document format. Although the RIRs can't dictate routing policy,
routing/ops people can dictate what the RIR policy states.

Then, Team Cymru will have an easy time laying base with an 'allowed' as
opposed to a 'denied' list of addresses.

Steve

Re: d000::/8 from AS28716

2010-01-11 Thread Mark Jackson 
I'd say that is a bogus route/AS announcement.
I see nothing in the address assignment for that. But I see traffic
started originating around 12/15/2009.


Mark Jackson, CCIE #4736
Sent from my iPhone. Please excuse spelling errors

On Jan 11, 2010, at 6:17 PM, Chuck Anderson  wrote:

> Anyone know why this ISP from Italy is advertising d000::/8 to the
> IPv6 Internet?
>
>> show route d000::/8
>
> inet6.0: 2446 destinations, 5143 routes (2445 active, 0 holddown, 1
> hidden)
> Restart Complete
> + = Active Route, - = Last Active, * = Both
>
> d000::/8   *[BGP/170] 01:08:26, MED 760, localpref 200
>  AS path: 30071 6762 28716 I
>> to 2001:4830:e1:10::1 via ge-0/0/0.593
>
>
> aut-num:AS28716
> as-name:EPLANET-AS
> export: to AS49772 announce ANY
> descr:  ePLANET SPA
> descr:  Internet Service Provider
> descr:  Via G.Vida 19 20127 Milano - ITALY -
> admin-c:GU29-RIPE
> tech-c: MF8125-RIPE
> mnt-by: EPLANET-MNT
> mnt-routes: EPLANET-MNT
> changed:hostmas...@ripe.net 20080208
> source: RIPE
>
>

Re: d000::/8 from AS28716

2010-01-11 Thread Scott Morris 
   To be honest, when I figured a big BUNCH of d000 was going to hit the
   Internet, I did not expect it to come from Italy.;)
   Chuck Anderson wrote:

Anyone know why this ISP from Italy is advertising d000::/8 to the
IPv6 Internet?



show route d000::/8


inet6.0: 2446 destinations, 5143 routes (2445 active, 0 holddown, 1 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

d000::/8   *[BGP/170] 01:08:26, MED 760, localpref 200
  AS path: 30071 6762 28716 I
> to 2001:4830:e1:10::1 via ge-0/0/0.593


aut-num:AS28716
as-name:EPLANET-AS
export: to AS49772 announce ANY
descr:  ePLANET SPA
descr:  Internet Service Provider
descr:  Via G.Vida 19 20127 Milano - ITALY -
admin-c:GU29-RIPE
tech-c: MF8125-RIPE
mnt-by: EPLANET-MNT
mnt-routes: EPLANET-MNT
changed:[1]hostmas...@ripe.net 20080208
source: RIPE

References

   1. mailto:hostmas...@ripe.net

d000::/8 from AS28716

2010-01-11 Thread Chuck Anderson 
Anyone know why this ISP from Italy is advertising d000::/8 to the 
IPv6 Internet?

> show route d000::/8 

inet6.0: 2446 destinations, 5143 routes (2445 active, 0 holddown, 1 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

d000::/8   *[BGP/170] 01:08:26, MED 760, localpref 200
  AS path: 30071 6762 28716 I
> to 2001:4830:e1:10::1 via ge-0/0/0.593


aut-num:AS28716
as-name:EPLANET-AS
export: to AS49772 announce ANY
descr:  ePLANET SPA
descr:  Internet Service Provider
descr:  Via G.Vida 19 20127 Milano - ITALY -
admin-c:GU29-RIPE
tech-c: MF8125-RIPE
mnt-by: EPLANET-MNT
mnt-routes: EPLANET-MNT
changed:hostmas...@ripe.net 20080208
source: RIPE

Re: Question about how to define network equipments

2010-01-11 Thread Dan Snyder 
I know you can measure the actual performance if you use Ixia hardware. We
have used Ixia to find the limitations of hardware before putting it in
production.


On Mon, Jan 11, 2010 at 8:03 PM, GIULIANO (UOL) wrote:

> People,
>
> I have seen a discussion about DDoS Mitigation in this list.
>
> Someone reference Juniper SRX equipments like good equipments to prevent
> DDoS attacks.
>
> Like Juniper SRX, other players like fortinet has some hardware based (
> FORTIGATE) Appliances to provide great throughput, ddos mitigation, UTM
> Features, etc.  Ex. Recent Fortigate 1240B
>
> My question about this products is related to a combination of
> performance parameters that I really does not understand.
>
> Lets use Juniper SRX as an example:
>
> Juniper SRX has (from Juniper's web site):
>
> Firewall performance (max)
> 1.5 Gbps
>
> Maximum concurrent sessions
> 64 K (512 MB DRAM) / 128 K (1 GB DRAM)
>
> New sessions/second (sustained, TCP, 3-way)
> 9,000
>
> Lets suppose that we have a client with 100 Mbps total full duplex
> throughput in a SRX-240 interfaces.
>
> If this client has 6000 users ... how is possible to combine:
>
> 1.5 Gbps (100 Mbps) x 128K sessions x 9000 new sessions/second
>
> Supposing 5000 users x 100 sessions per user ... the box will not
> support it , right ?
>
> How is the correct way to calculate with accuracy this ?
>
> Every player looks like to have a way to calculate it. Every player said
> something about sessions.
>
> What is the correct parameter about sessions ?
>
> How many sessions per second a normal user (FTP, E-mail, HTTP, SSL, SSH,
> Telnet) can generate ?
>
> Why the number 9000 new sessions/second is important ?
>
> How can I sum to all of this 3 parameters ... the DDoS mitigation ?
>
> How much performance I will consume, under a DDoS attack ?
>
> It is possible to measure it ?
>
> Thanks a lot,
>
> Giuliano
>
>

Question about how to define network equipments

2010-01-11 Thread GIULIANO (UOL) 
People,

I have seen a discussion about DDoS Mitigation in this list.

Someone reference Juniper SRX equipments like good equipments to prevent
DDoS attacks.

Like Juniper SRX, other players like fortinet has some hardware based (
FORTIGATE) Appliances to provide great throughput, ddos mitigation, UTM
Features, etc.  Ex. Recent Fortigate 1240B

My question about this products is related to a combination of
performance parameters that I really does not understand.

Lets use Juniper SRX as an example:

Juniper SRX has (from Juniper's web site):

Firewall performance (max)
1.5 Gbps

Maximum concurrent sessions
64 K (512 MB DRAM) / 128 K (1 GB DRAM)

New sessions/second (sustained, TCP, 3-way)
9,000

Lets suppose that we have a client with 100 Mbps total full duplex
throughput in a SRX-240 interfaces.

If this client has 6000 users ... how is possible to combine:

1.5 Gbps (100 Mbps) x 128K sessions x 9000 new sessions/second

Supposing 5000 users x 100 sessions per user ... the box will not
support it , right ?

How is the correct way to calculate with accuracy this ?

Every player looks like to have a way to calculate it. Every player said
something about sessions.

What is the correct parameter about sessions ?

How many sessions per second a normal user (FTP, E-mail, HTTP, SSL, SSH,
Telnet) can generate ?

Why the number 9000 new sessions/second is important ?

How can I sum to all of this 3 parameters ... the DDoS mitigation ?

How much performance I will consume, under a DDoS attack ?

It is possible to measure it ?

Thanks a lot,

Giuliano

Re: he.net down/slow?

2010-01-11 Thread William Herrin 
On Mon, Jan 11, 2010 at 7:01 PM, JC Dill  wrote:
> Michael J. Hartwick wrote:
>>
>> I have never understood how posting the "warning" at the bottom of the
>> email
>> after you have already given up the "protected" information could possibly
>> be considered enforceable.
>
> It might be useful to look at what some people in the legal business say
> about these disclaimers:
>
> http://arborlaw.biz/blog/2007/07/19/legal-issues-in-email-disclaimers/

Here's what these lawyers have to say:

http://www.ndasforfree.com/TSProgram03BasicProtection.html

"Don’t go overboard and mark everything in sight confidential. If
virtually everything, including public information, is marked
“confidential,” a court may conclude that nothing was really
confidential. It is better not to mark anything than to mark
everything."


Regards,
Bill Herrin

-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: he.net down/slow?

2010-01-11 Thread JC Dill 

Michael J. Hartwick wrote:

I have never understood how posting the "warning" at the bottom of the email
after you have already given up the "protected" information could possibly
be considered enforceable. 


It might be useful to look at what some people in the legal business say 
about these disclaimers:


http://arborlaw.biz/blog/2007/07/19/legal-issues-in-email-disclaimers/

RE: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Stefan Fouant 
Ummm... there is some proprietary information I would have to remove first.
Will NANOG accept a message to the forum with an attachment?  If not I can
put it up on my site.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

> -Original Message-
> From: jul [mailto:jul_...@yahoo.fr]
> Sent: Monday, January 11, 2010 4:58 PM
> To: Stefan Fouant
> Cc: 'Hank Nussbacher'; 'NANOG'
> Subject: Re: D/DoS mitigation hardware/software needed.
> 
> Stefan Fouant wrote on 11/01/10 14:45:
> > If anyone is interested, I did pretty exhaustive research into the
> Service
> > Provider marketplace last summer (before Verisign came out with their
> VIDN).
> > I've got some slides which outline the costs, mitigation capacity,
> etc. of
> > many different providers.  The provider option isn't always the
> cheapest
> > when compared to DIY factored in over a 3-5 year lifespan.
> 
> If you can share, I think everyone would be interested.
> I am :)

Re: D/DoS mitigation hardware/software needed.

2010-01-11 Thread jul 
Stefan Fouant wrote on 11/01/10 14:45:
> If anyone is interested, I did pretty exhaustive research into the Service
> Provider marketplace last summer (before Verisign came out with their VIDN).
> I've got some slides which outline the costs, mitigation capacity, etc. of
> many different providers.  The provider option isn't always the cheapest
> when compared to DIY factored in over a 3-5 year lifespan.

If you can share, I think everyone would be interested.
I am :)

Re: I don't need no stinking firewall!

2010-01-11 Thread Henry Yen 
On Thu, Jan 07, 2010 at 22:55:25PM -0800, Jay Hennigan wrote:
> Nenad Andric wrote:
> > On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan  wrote:
> 
> >> Or better:
> >> - Allow from anywhere port 80 to server port > 1023 established
> > 
> >  Adding "established" brings us back to stateful firewall!
> 
> Not really.  It only looks to see if the ACK or RST bits are set.  This 
> is different from a stateful firewall which memorizes each outbound 
> packet and checks the return for a match source/destination/sequence.

That's (cisco) reflexive access lists.

-- 
Henry Yen   Aegis Information Systems, Inc.
Senior Systems Programmer   Hicksville, New York

RE: he.net down/slow?

2010-01-11 Thread Michael J. Hartwick 
I have never understood how posting the "warning" at the bottom of the email
after you have already given up the "protected" information could possibly
be considered enforceable. I thought most NDA's required willing acceptance
by both parties before it could be considered valid, a message at the bottom
of the email that I have not agreed to should not be considered a valid
contract. That is kind of like putting the software license agreement inside
the box and the only way to get to the agreement is to open the shrink wrap,
but opening the shrink wrap is your acceptance of the agreement. If you put
the "warning" at the top of the email before what you are trying to protect
I *might* be more likely to believe it could be enforced.

Michael

--
Michael J. Hartwick, VE3SLQ  hartw...@hartwick.com
Hartwick Communications Consulting  (519) 396-7719
Kincardine, ON, CA http://www.hartwick.com
--


> -Original Message-
> From: Martin Hannigan [mailto:mar...@theicelandguy.com]
> Sent: Saturday, January 09, 2010 18:28
> To: valdis.kletni...@vt.edu; Brian Johnson; nanog@nanog.org
> Subject: Re: he.net down/slow?
> 
> Some NDA's require that you must state your intent for each
> communication that should be covered by the NDA.  As much as everyone
> would like to believe these are wothless, they are not. Applying them
> globally to your email  protects your legal rights. It is also
> innocous.
> 
> Don't them it if you don't want to or perhaps a filter on keywords?
> 
> Best,
> 
> -M<
> 
> 
> 
> 
> 
> 
> 
> On 1/7/10, valdis.kletni...@vt.edu  wrote:
> > On Thu, 07 Jan 2010 13:51:41 CST, Brian Johnson said:
> >> > On 7 Jan 2010, at 18:18, William Pitcock wrote:
> >> > > ...why would you have that on a mailing list post?
> >> > because the mail server that adds it is too dumb to differentiate
> >> > between list and direct mail?
> >
> >> Bingo! ;)
> >
> > That sort of gratuitous "add it to everything because our software is
> too
> > stupid to sort it out" is *this* close to what the legal eagles call
> > "overwarning".  Just sayin'.
> >
> > (Basically, your site and everybody else's site sticks it on
> everything,
> > all the recipients just ignore it the same way we almost always
> ignore
> > Received: headers because they're on every message and very rarely
> have
> > any useful content - with the end result that if you stick it on a
> message
> > that *matters*, it will still get ignored)
> >
> > Oh, and is your company ready to indemnify my employer for the costs
> of
> > "destroy all copies of the original message" sufficiently thoroughly
> to
> > prevent recovery by a competent forensics expert? This may include,
> but
> > not be limited to, the main mail store for 70,000 people, backup
> tapes,
> > and other mail systems where the data may have been logically deleted
> but
> > as yet not overwritten.  Just sayin'. ;)
> >
> 
> 
> --
> Martin Hannigan   mar...@theicelandguy.com
> p: +16178216079
> Power, Network, and Costs Consulting for Iceland Datacenters and
> Occupants

Re: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Rick Ernst 
Right. Some providers allow you to BGP community trigger RTBH.  There was a
separate mention of D/DoS-mitigation-providers using DNS and BGP tunneling.

Rick




On Mon, Jan 11, 2010 at 8:14 AM, Stefan Fouant <
sfou...@shortestpathfirst.net> wrote:

> > -Original Message-
> > From: Rick Ernst [mailto:na...@shreddedmail.com]
> > Sent: Monday, January 11, 2010 10:39 AM
> > To: NANOG
> > Subject: Re: D/DoS mitigation hardware/software needed.
> >
> > As a service-provider/data-center, it seems like outsourcing would be
> > either
> > ineffective and/or removes the "big red button" in case of trouble.
> >
> > Am I missing something, overly paranoid, or are there other mechanisms
> > for
> > outsourced protection?
>
> In fact, quite the opposite.  Those providers who do offer DDoS mitigation
> services usually allow the customer to trigger the redirect in a manner
> similar to RTBHs by substituting the blackhole community for some type of
> mitigation community.  This causes the Provider's edge router (or Route
> Server) to advertise the affected route within the Service Provider's
> network with a next-hop of the scrubbers.
>
> There are some providers who do auto-mitigation on behalf of the customer,
> but IMO this approach is asking for trouble.
>
> Stefan Fouant, CISSP, JNCIE-M/T
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
>

Re: SORBS on autopilot?

2010-01-11 Thread William Herrin 
On Mon, Jan 11, 2010 at 12:40 PM, Steve Ryan  wrote:
> SORBS is a joke, always been a joke, and always will be a joke.  I'm quite
> saddened by the fact an entity actually provided financial support to keep
> it going.  The internet community would have been better served had they
> just went away.

SORBS appeared because someone was upset when the widely reviled ORBS
decamped. If SORBS went away there'd just be MORBS.

All the same, it's disappointing to see the SORBS DUL fall into
disrepair. Although not the focus of sorbs' operator, the DUL *was*
one of the more useful lists they published.

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Christopher Morrow 
On Mon, Jan 11, 2010 at 1:12 PM, Stefan Fouant
 wrote:
> Precisely - I was saying that in order to add more point to your argument.
> I wasn't disagreeing with you :)

i need more coffee :( thanks!

-Chris

RE: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Stefan Fouant 
Precisely - I was saying that in order to add more point to your argument.
I wasn't disagreeing with you :)

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

> -Original Message-
> From: christopher.mor...@gmail.com
> [mailto:christopher.mor...@gmail.com] On Behalf Of Christopher Morrow
> Sent: Monday, January 11, 2010 12:49 PM
> To: Stefan Fouant
> Cc: jul; NANOG
> Subject: Re: D/DoS mitigation hardware/software needed.
> 
> On Mon, Jan 11, 2010 at 9:33 AM, Stefan Fouant
>  wrote:
> >> -Original Message-
> >> From: Christopher Morrow [mailto:morrowc.li...@gmail.com]
> >> Sent: Monday, January 11, 2010 2:05 AM
> >>
> >> On Mon, Jan 11, 2010 at 12:26 AM, jul  wrote:
> >> > Martin Hannigan wrote on 05/01/10 16:50:
> >> >
> >> > Outsourced services have higher cost than Arbor but can handled
> more.
> >>
> >> Do they? VerizonBusiness's solution was $3250US/month so ~$90USk
> over
> >> 2yrs. Arbor, I think, for a TMS + collectors was +100k.
> >
> > Don't forget to factor in OpEx.  This can often tilt the scales in
> favor of
> > one vs. the other.
> 
> sure, but just capex alone the 'make vzb do this' option wins. (I
> think at least, I'm not a math guy though...)

Re: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Christopher Morrow 
On Mon, Jan 11, 2010 at 9:33 AM, Stefan Fouant
 wrote:
>> -Original Message-
>> From: Christopher Morrow [mailto:morrowc.li...@gmail.com]
>> Sent: Monday, January 11, 2010 2:05 AM
>>
>> On Mon, Jan 11, 2010 at 12:26 AM, jul  wrote:
>> > Martin Hannigan wrote on 05/01/10 16:50:
>> >
>> > Outsourced services have higher cost than Arbor but can handled more.
>>
>> Do they? VerizonBusiness's solution was $3250US/month so ~$90USk over
>> 2yrs. Arbor, I think, for a TMS + collectors was +100k.
>
> Don't forget to factor in OpEx.  This can often tilt the scales in favor of
> one vs. the other.

sure, but just capex alone the 'make vzb do this' option wins. (I
think at least, I'm not a math guy though...)

Re: SORBS on autopilot?

2010-01-11 Thread Steve Ryan 



On 1/11/2010 8:54 AM, telmn...@757.org wrote:

Did SORBS really cause you that much pain?
SORBS causes people pain every day.  I worked at an ISP that used 
SORBS and it was nothing short of a nightmare.  Donations to ge things 
removed, nobody would help you, everything was 'automated' and if 
somehow something pissed off the 'automation process' you were subject 
to things just staying broken.


SORBS is a joke, always been a joke, and always will be a joke.  I'm 
quite saddened by the fact an entity actually provided financial support 
to keep it going.  The internet community would have been better served 
had they just went away.

Re: SORBS on autopilot?

2010-01-11 Thread Brian Keefer 
On Jan 11, 2010, at 8:18 AM, Patrick W. Gilmore wrote:

>  people using SORBS stop using SORBS.
> 
> -- 
> TTFN,
> patrick


Usually that's the easiest path.  All it takes is asking the site using SORBS 
to do a few Google searches.

There are much better options out there than SORBS.  Why anyone thinks it's a 
good idea to cause that much collateral damage is beyond me.

--
bk

Re: SORBS on autopilot?

2010-01-11 Thread gordon b slater 
On Mon, 2010-01-11 at 11:15 -0500, telmn...@757.org wrote:
> > Anyone got some pointers on how to get off SORBS' Dynamic IP lists?
> 
> Our solution was to find new IP space. It was hopeless.
> 
> 

"me too"; for 2 of my old (smaller sized) customers in the last 4 or 5
month. 
Nothing seemed to work and the immediate financial losses rapidly hit
over 10k Euros in both cases, so switching was by far the easier
option. 
I was amazed, but it definitely worked, I'll grant them that.

Both were "normal" and non-spammy setups, correctly configured and well
run by experienced netops. They just figured it was faster/safer
(financially) to move, all things considered.

Caused a panic at the time but until it happens again, 100% success :)

Gord

--
error: wit pool entropy approaching zero. system halted. again.

Re: SORBS on autopilot?

2010-01-11 Thread telmnstr 

Did SORBS really cause you that much pain?


Yes. We purchased colo space for some systems that didn't need high class 
of service (mostly development systems.) The IP space in a former lifetime 
was a dialup pool for analog modems.


We of course changed the reverse DNS entries, and did the normal request 
with SORBS. Nothign really happened. I started looking into it, and 
finding stories of people doing the mandatory $90 donation to get express 
attention, and still not getting attention (so they were reversing the 
paypal payments and such.) After reading all this crap, I pushed our 
provider, they couldn't get response from sorbs, so we ended up relaying 
some of the traffic through our ISP and other traffic through our mail 
servers that are in a better data center.


We had ZERO problem with Spamhaus. They were cool. Fast. Worked.

The problem of course is that customers that don't know any better use 
mail servers that are setup for SORBS. Trying to explain it to non-tech 
folks is futile.


The people that run SORBS are obviously bored with the project, and it 
should die.



I ask because the other possible solution is enough people do not find new 
space that people using SORBS stop using SORBS.


That's tough because the people that generally are using mail servers that 
use SORBS don't know better. They have to ask their providers, etc.

Re: SORBS on autopilot?

2010-01-11 Thread Ken Chase 
On Mon, Jan 11, 2010 at 10:01:11AM -0600, Larry Smith's said:
 >host 67.196.137.1
  >1.137.196.67.in-addr.arpa domain name pointer 
  >H1.C137.B196.A67.tor.colo.heavycomputing.ca.

Yeah I didnt make the .colo. up, it's in their proposed-RFC document in section 
6.3.
They even go so far as to use the word MUST w.r.t. 'colo' in YELLCAPS:

http://tools.ietf.org/id/draft-msullivan-dnsop-generic-naming-schemes-00.txt

  >host 67.196.137.163
  >163.137.196.67.in-addr.arpa domain name pointer sizone.org.

This one was manually delisted a while ago. I have other hosts in there that 
have
proper custom-reverses such as .188 (which is the customer of mine which wants
off, but we cant get off.) He's had his custom name in there for months. Doenst
seem to help.

  >Have you tried all 3 of the routes listed at 
  >http://www.au.sorbs.net/faq/dul.shtml ?

Yes.

  >Something they don't tell you on the web page is that they ignore TTL and 
  >cache your DNS for a relatively long time.  If you tried for automated 
  >removal and your rDNS wasn't SORBS-compliant, automated removal isn't 
  >going to work for some number of days (I forget how many) even after you 
  >have made your rDNS SORBS-compliant.

It's been 5 days since I changed from a generic naming scheme (which was the 
above
minus the word colo) to adding in the 'colo'. Maybe the .tor. extra subdomain
is hurting somehow - the feedback loop between executing and testing results is
painfully long, and hard to tie down cause and effect.

I see our listing is also dated as an Aug 29th test, Im not sure how to get them
to re-test the block despite the 're-test' guidelines on their pages.

  >67.196.137.165  H165.C137.B196.A67.tor.colo.heavycomputing.ca.
  >67.196.137.166  H166.C137.B196.A67.tor.colo.heavycomputing.ca.
  >
  >With rDNS like that...good luck.  Go read
  >
  >http://tools.ietf.org/id/draft-msullivan-dnsop-generic-naming-schemes-00.txt

Exactly. Section 6.3, though with the .tor., perhaps Im not allowed to
indicate with a STATIC NAME where the colocation is, and perhaps I have to
remove the H/C/B/A as well. Guess ill try and just wait another 4-8 days before
guessing that's not working.

  >change your rDNS, wait a few days, and maybe you'll have a chance.

Have, maybe not enough days though. Hard to tell, which is my whole complaint.
But getting this working would also help spammers, I suppose is their refrain.

Ill try to be extremely literal about the non-RFC and see where that gets me.
Thanks.

/kc
-- 
Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

Re: SORBS on autopilot?

2010-01-11 Thread Patrick W. Gilmore 
On Jan 11, 2010, at 11:15 AM, telmn...@757.org wrote:

>> Anyone got some pointers on how to get off SORBS' Dynamic IP lists?
> 
> Our solution was to find new IP space. It was hopeless.

Did SORBS really cause you that much pain?

I ask because the other possible solution is enough people do not find new 
space that people using SORBS stop using SORBS.

-- 
TTFN,
patrick

Re: SORBS on autopilot?

2010-01-11 Thread telmnstr 



Anyone got some pointers on how to get off SORBS' Dynamic IP lists?


Our solution was to find new IP space. It was hopeless.

RE: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Stefan Fouant 
> -Original Message-
> From: Rick Ernst [mailto:na...@shreddedmail.com]
> Sent: Monday, January 11, 2010 10:39 AM
> To: NANOG
> Subject: Re: D/DoS mitigation hardware/software needed.
> 
> As a service-provider/data-center, it seems like outsourcing would be
> either
> ineffective and/or removes the "big red button" in case of trouble.
> 
> Am I missing something, overly paranoid, or are there other mechanisms
> for
> outsourced protection?

In fact, quite the opposite.  Those providers who do offer DDoS mitigation
services usually allow the customer to trigger the redirect in a manner
similar to RTBHs by substituting the blackhole community for some type of
mitigation community.  This causes the Provider's edge router (or Route
Server) to advertise the affected route within the Service Provider's
network with a next-hop of the scrubbers.

There are some providers who do auto-mitigation on behalf of the customer,
but IMO this approach is asking for trouble.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

Re: SORBS on autopilot?

2010-01-11 Thread Jon Lewis 

On Mon, 11 Jan 2010, Ken Chase wrote:


Anyone got some pointers on how to get off SORBS' Dynamic IP lists?

We've followed their RFC proposed static reverse DNS assignment naming 
and all elements of their FAQ.


Have you tried all 3 of the routes listed at 
http://www.au.sorbs.net/faq/dul.shtml ?


Something they don't tell you on the web page is that they ignore TTL and 
cache your DNS for a relatively long time.  If you tried for automated 
removal and your rDNS wasn't SORBS-compliant, automated removal isn't 
going to work for some number of days (I forget how many) even after you 
have made your rDNS SORBS-compliant.


67.196.137.160  H160.C137.B196.A67.tor.colo.heavycomputing.ca.
67.196.137.161  H161.C137.B196.A67.tor.colo.heavycomputing.ca.
67.196.137.162  H162.C137.B196.A67.tor.colo.heavycomputing.ca.
67.196.137.163  sizone.org.
67.196.137.164  H164.C137.B196.A67.tor.colo.heavycomputing.ca.
67.196.137.165  H165.C137.B196.A67.tor.colo.heavycomputing.ca.
67.196.137.166  H166.C137.B196.A67.tor.colo.heavycomputing.ca.

With rDNS like that...good luck.  Go read

http://tools.ietf.org/id/draft-msullivan-dnsop-generic-naming-schemes-00.txt

change your rDNS, wait a few days, and maybe you'll have a chance.

--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: SORBS on autopilot?

2010-01-11 Thread Larry Smith 
On Mon January 11 2010 09:48, Ken Chase wrote:
> Anyone got some pointers on how to get off SORBS' Dynamic IP lists?
>
> We've followed their RFC proposed static reverse DNS assignment naming and
> all elements of their FAQ.
>
> We are not spammers. The /24 in question isnt listed on any RBLs except
> SORBS DUL.
>
> We've submitted requests in various different formats, but get a robot
> reply and -ENOJOY.
>
> We've even had our upstream that is listed at the RIR as managing the
> supernet of our BGP announced prefixes submit requests to delist for the
> /24, but we are only ever replied to by a robot that lists 67.196.137.0/24
> as dynamic except .163 (somehow manually excluded from their db, I think
> when they werent adrift in years past). Our upstream's techs are also at a
> loss now and suggested I seek arcane clue amongst the sages here.
>
> Pointers appreciated.
>
> /kc

Hmmm, probably something to do with your "reverse" naming convention:

host 67.196.137.1
1.137.196.67.in-addr.arpa domain name pointer 
H1.C137.B196.A67.tor.colo.heavycomputing.ca.

host 67.196.137.163
163.137.196.67.in-addr.arpa domain name pointer sizone.org.

host 67.196.137.16
16.137.196.67.in-addr.arpa domain name pointer 
H16.C137.B196.A67.tor.colo.heavycomputing.ca.

host 67.196.137.162
162.137.196.67.in-addr.arpa domain name pointer 
H162.C137.B196.A67.tor.colo.heavycomputing.ca.

IP 67.196.137.163 appears to actually have a "name" and everything
else has Hnnn.C137.B196.A67.tor.colo.heavycomputing.ca (where nnn
is the fourth octet IP).

-- 
Larry Smith
lesm...@ecsis.net

SORBS on autopilot?

2010-01-11 Thread Ken Chase 
Anyone got some pointers on how to get off SORBS' Dynamic IP lists?

We've followed their RFC proposed static reverse DNS assignment naming and all
elements of their FAQ.

We are not spammers. The /24 in question isnt listed on any RBLs except SORBS 
DUL.

We've submitted requests in various different formats, but get a robot reply
and -ENOJOY.

We've even had our upstream that is listed at the RIR as managing the supernet
of our BGP announced prefixes submit requests to delist for the /24, but
we are only ever replied to by a robot that lists 67.196.137.0/24 as
dynamic except .163 (somehow manually excluded from their db, I think when
they werent adrift in years past). Our upstream's techs are also at a loss now
and suggested I seek arcane clue amongst the sages here.

Pointers appreciated.

/kc
-- 
Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

Re: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Rick Ernst 
I thought I had mentioned outsourcing earlier, but I don't see it in the
thread...

The two mechanisms I've seen for outsources D/DoS are DNS manipulation, or
essentially remote BGP peering with an tunnel back to the local presence.

Even if we are purely hosting, DNS manipulation doesn't do anything for
attacks against an IP.
For remote BGP peering/tunneling, you are are adding additional complexity
and moving control outside your network.

As a service-provider/data-center, it seems like outsourcing would be either
ineffective and/or removes the "big red button" in case of trouble.

Am I missing something, overly paranoid, or are there other mechanisms for
outsourced protection?

Rick


On Mon, Jan 11, 2010 at 6:33 AM, Stefan Fouant <
sfou...@shortestpathfirst.net> wrote:

> > -Original Message-
> > From: Christopher Morrow [mailto:morrowc.li...@gmail.com]
> > Sent: Monday, January 11, 2010 2:05 AM
> >
> > On Mon, Jan 11, 2010 at 12:26 AM, jul  wrote:
> > > Martin Hannigan wrote on 05/01/10 16:50:
> > >
> > > Outsourced services have higher cost than Arbor but can handled more.
> >
> > Do they? VerizonBusiness's solution was $3250US/month so ~$90USk over
> > 2yrs. Arbor, I think, for a TMS + collectors was +100k.
>
> Don't forget to factor in OpEx.  This can often tilt the scales in favor of
> one vs. the other.
>
> Stefan Fouant, CISSP, JNCIE-M/T
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
>
>

AT&T request...

2010-01-11 Thread Matt Kelly 
Can someone from AT&T please contact me off list regarding a problem  
with a segment of our network being blocked?



Thanks.

--Matt

RE: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Stefan Fouant 
> -Original Message-
> From: Christopher Morrow [mailto:morrowc.li...@gmail.com]
> Sent: Monday, January 11, 2010 2:05 AM
> 
> On Mon, Jan 11, 2010 at 12:26 AM, jul  wrote:
> > Martin Hannigan wrote on 05/01/10 16:50:
> >
> > Outsourced services have higher cost than Arbor but can handled more.
> 
> Do they? VerizonBusiness's solution was $3250US/month so ~$90USk over
> 2yrs. Arbor, I think, for a TMS + collectors was +100k.

Don't forget to factor in OpEx.  This can often tilt the scales in favor of
one vs. the other.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

RE: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Stefan Fouant 
> -Original Message-
> From: Hank Nussbacher [mailto:h...@efes.iucc.ac.il]
> Sent: Monday, January 11, 2010 4:40 AM
> To: jul
> Cc: NANOG
> Subject: Re: D/DoS mitigation hardware/software needed.
> 
> On Mon, 11 Jan 2010, jul wrote:
> 
> > Known leader of the clean-pipe solution is Prolexic
> > http://www.prolexic.com/
> >
> > Akamai and Verisign also tries to go on this market
> > http://www.akamai.com/security (through CDN)
> > http://www.verisign.com/internet-defense-network/index.html
> 
> Indeed, these 3 also ended up on my shortlist after much research.
> Each
> has areas they are weaker in than their competitors but they are all
> worthy.

If you're connected to Level 3 in any capacity, they have a reseller
agreement with Prolexic and can offer REALLY aggressive pricing.  I really
liked their offering.

If anyone is interested, I did pretty exhaustive research into the Service
Provider marketplace last summer (before Verisign came out with their VIDN).
I've got some slides which outline the costs, mitigation capacity, etc. of
many different providers.  The provider option isn't always the cheapest
when compared to DIY factored in over a 3-5 year lifespan.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

Re: D/DoS mitigation hardware/software needed.

2010-01-11 Thread Hank Nussbacher 

On Mon, 11 Jan 2010, jul wrote:


Known leader of the clean-pipe solution is Prolexic
http://www.prolexic.com/

Akamai and Verisign also tries to go on this market
http://www.akamai.com/security (through CDN)
http://www.verisign.com/internet-defense-network/index.html


Indeed, these 3 also ended up on my shortlist after much research.  Each 
has areas they are weaker in than their competitors but they are all 
worthy.


-Hank