Re: Looking Glass

[Artyom Viklenko]

08.09.2010 01:35, Nathan Stratton пишет:


On Tue, 7 Sep 2010, Jack Carrozzo wrote:


FWIW Quagga works fine as a looking glass if you don't mind the telnet
interface. Though, if you really want ssh, you could make a user on the
machine whose login script runs 'vtysh' and logs out on exit, however
it's
admittedly less elegant.


Anyone know of a good http looking glass that works with quagga?


Try http://wiki.version6.net/LG





<>

Nathan Stratton CTO, BlinkMind, Inc.
nathan at robotics.net nathan at blinkmind.com
http://www.robotics.net http://www.blinkmind.com




--
   Sincerely yours,
Artyom Viklenko.
---
ar...@aws-net.org.ua | http://www.aws-net.org.ua/~artem
ar...@viklenko.net   | 
FreeBSD: The Power to Serve   -  http://www.freebsd.org

Re: yahoo crawlers hammering us

[Harry Strongburg]

On Tue, Sep 07, 2010 at 04:19:58PM -0400, Ken Chase wrote:
> This makes it look like Yahoo is actually trafficking in pirated software, but
> that's kinda too funny to expect to be true, unless some yahoo tech decided to
> use that IP/server @yahoo for his nefarious activity, but there are better 
> sites
> than my customer's box to get his 'juarez'.

It's not uncommon at all for a web-spider to find large files and 
download them. I don't think there's some conspiracy at Yahoo to find 
warez; they are just opperating as a normal spider, indexing the 
Internet.

> ~500K/s (4Mbps+) for a 3 gig file is kinda... a bit harsh.

What speed would you like a spider to download at? You could configure 
the speeds to Yahoo's blocks server-side if you care enough. Ideally, 
request your customer doesn't throw large programs on there if you're 
concerned about bandwidth. 4 Mb/s isn't abnormal at all for a spider, 
and especially on a larger file.

> Is this expected/my own fault or what?

A little bit of both :)

Re: ISP port blocking practice

[Robert Bonomi]

> From nanog-bounces+bonomi=mail.r-bonomi@nanog.org  Tue Sep  7 15:15:13 
> 2010
> Date: Mon, 6 Sep 2010 19:55:06 -0500
> From: Brett Frankenberger 
> To: deles...@gmail.com
> Subject: Re: ISP port blocking practice
> Cc: NANOG list 
>
> On Mon, Sep 06, 2010 at 10:38:15PM +, deles...@gmail.com wrote:
> >
> > Having worked in past @ 3 large ISPs with residential customer pools
> > I can tell you we saw a very direct drop in spam issues when we
> > blocked port 25.
>
> No one is disputing that.  Or, at least, I'm not disputing that.  I'm
> questioning whether or not the *Internet* has experienced any decrease
> in aggregate spam as a result of ISPs blocking port 25.  Did the spam
> you blocked disappear, or did it all get sent some other way?  

_I_ can't say about 'some other way',  but, on average, between 1/4 and 1/3
of the all the incoming spam at my personal server is 'direct to MX', that
would have been been, at least 'slowed a little bit' by "classical, dumb" 
port 25 blocking.

Now, a *smart* port 25 enforcer -- where traffic outbound to port 25 was
selectively NATted into a 'data sink' -- something that replies "200" to 
everything up to the DATA command, and _always_ gives a 5xy response to 
that (with text like "you must send outgoing mail though our server'),
WOULD kill the traffic dead. Or, at least, force the spamware writers to 
start paying attention to SMTP response codes, *IF* they wanted to count
deliveries.  All available evidence says that -most- spammers/spamware/
botnets pay no attention to such -- as established by the effectiveness of
GreetPause, and greylisting.

It is worth noting that this kind of 'smart' port 25 blocking would also
automatically identify 'infected' machines, and by consulting the records
of who is corrently on that IP address, tell _which_customer_ is has the
infected machine, *AND* notify the customer of their problem.  all without
any need for any (expensive) human involvement.

Aside, if spamware _had_ to 'obey the rules' of SMTP transactions, regarding
reading reply codes, that alone would probalbly reduce by 50%, if not
more, the aggregate sending _capacity_ of the world's spam sources.  Whether
that would make much of a difference, I don''t know -- depnds on how far
existing 'capacity' exeeeds existing usage/demand.133-136 140 142-145 147

Re: Looking Glass

[Craig Van Tassle]

On Tue, 07 Sep 2010 17:09:21 +0300
Peter Rudasingwa  wrote:

> I have a linux (ubuntu) box and I would like to install a BGP looking 
> glass. Are there any out there for free and how can one go about it?
> Is linux the best OS to use?
> 
> Thanks,
> Peter R.

I have used Mult-Router Looking Glass in the past and it's been pretty
good. 

http://freshmeat.net/projects/mrlg4php/


-- 


signature.asc
Description: PGP signature

Re: Looking Glass

[Ryan Shea]

*Install quagga and rancid

sudo apt-get install rancid rancid-cgi quagga


*Enable bgpd in /etc/quagga/daemons

*Hook up your Quagga.conf with all the fun bgp configuration bits. Search on
the intarwebs or man pages for configuration details.

*Set up a user with vtysh as their shell.

*Set up the rancid cloginrc file with the login stuff for your quagga router
using the user with vtysh access. To Randy's point, it can certainly do
ssh... but Rancid certainly uses "some abhorrent language's libraries".

*Edit the configuration for the looking glass CGI /etc/rancid/lg.conf

*Tweak out the CGI to be less horrible.

*Profit.

-Ryan

On Tue, Sep 7, 2010 at 6:35 PM, Nathan Stratton  wrote:

>
> On Tue, 7 Sep 2010, Jack Carrozzo wrote:
>
>  FWIW Quagga works fine as a looking glass if you don't mind the telnet
>> interface. Though, if you really want ssh, you could make a user on the
>> machine whose login script runs 'vtysh' and logs out on exit, however it's
>> admittedly less elegant.
>>
>
> Anyone know of a good http looking glass that works with quagga?
>
>  <>
>>
> Nathan StrattonCTO, BlinkMind, Inc.
> nathan at robotics.net nathan at blinkmind.com
> http://www.robotics.nethttp://www.blinkmind.com
>
>

Inline Traffic Management / Tracking - Usage Based Billing

[Paul Stewart]

Hi there...

 

We are examining several options currently for appliances/devices that
sit  inline (most likely) and can perform all/some of these services:

 

-Track customer usage and generate monthly reports based on username
(PPPOE) or cable MAC (DHCP) - and doesn't require any changes to our
Radius infrastructure.  In other words, it has the smarts to gather the
username/IP combination along with the Radius Start/Stop to do accurate
reporting.

-Throttling of certain services/applications at certain times of day
(looking for fairly extensive options here including ability to take
total link capacity into account - reasonably dynamic)

-24X7X365 support and hardware coverage (no next business day shipping -
4 hour response onsite kind of stuff)

-Clustering/HA options

-Centralized management/reporting

 

This is NOT an open invitation for sales people to contact me - I'm
asking here for operational feedback with likes/dislikes.  I can
appreciate if most folks prefer to reply offline.  We have trialled the
Arbor solution to date but that is the only comparison we have so far.

 

Thanks,

 

Paul Stewart

 

Re: Looking Glass

[Jack Carrozzo]

On Tue, Sep 7, 2010 at 6:35 PM, Nathan Stratton  wrote:
>
> Anyone know of a good http looking glass that works with quagga?
>

 I realize this is probably more hacking than you want to do, but Quagga can
expose much of it's info via SNMP. Thus it would be fairly trivial to write
an http front end to it if you were so motivated (or, have some interns on
hand without enough to do).

-Jack Carrozzo

Re: Looking Glass

[Nathan Stratton]

On Tue, 7 Sep 2010, Jack Carrozzo wrote:


FWIW Quagga works fine as a looking glass if you don't mind the telnet
interface. Though, if you really want ssh, you could make a user on the
machine whose login script runs 'vtysh' and logs out on exit, however it's
admittedly less elegant.


Anyone know of a good http looking glass that works with quagga?


<>

Nathan StrattonCTO, BlinkMind, Inc.
nathan at robotics.net nathan at blinkmind.com
http://www.robotics.nethttp://www.blinkmind.com

Re: yahoo crawlers hammering us

[Leslie]

That speed doesn't seem too bad to me - robots.txt is our friend when 
one had bandwidth limitations.


Leslie



On 9/7/10 1:19 PM, Ken Chase wrote:

So i guess im new at internets as my colleagues told me because I havent gone
around to 30-40 systems I control (minus customer self-managed gear) and
installed a restrictive robots.txt everywhere to make the web less useful to
everyone.

Does that really mean that a big outfit like yahoo should be expected to
download stuff at high speed off my customers servers? For varying values of
'high speed', ~500K/s (4Mbps+) for a 3 gig file is kinda... a bit harsh.
Especially for an exe a user left exposed in a webdir, thats possibly (C)
software and shouldnt have been there (now removed by customer, some kinda OS 
boot
cd/toolset thingy).

This makes it look like Yahoo is actually trafficking in pirated software, but
that's kinda too funny to expect to be true, unless some yahoo tech decided to
use that IP/server @yahoo for his nefarious activity, but there are better sites
than my customer's box to get his 'juarez'.

At any rate:


From Address   To AddressProtoBytesCPS

==
67.196.xx.xx..80   67.195.112.151..44507 tcp14872000 523000

$ host 67.195.112.151 8.8.8.8

151.112.195.67.in-addr.arpa domain name pointer b3091122.crawl.yahoo.net.

CIDR:   67.195.0.0/16
NetName:A-YAHOO-US8

so that's yahoo, or really well spoofed.

Is this expected/my own fault or what?

A number of years ago, there were 1000s of videos on a customer site (training
for elderly care, extremely exciting stuff for someone into -1-day movies to
post on torrent sites). Customer called me to say his bw was gone, and I
checked and found 12 yahoo crawlers hitting the site at 300K/s each (~30Mbps
+) downloading all the videos. This was all the more injurious as it was only
2004 and bandwidth was more than $1/mbps back then. I did the really crass
thing and nullrouted the whole /20 or whatever they were on per ARIN. It was
the new-at-the-time video.yahoo.com search engine coming to index the whole
site. I suppose they cant be too slow about it, or they'll never index a whole
webfull of videos this century, but still, 12x 300K/s in 2004? (At the time
Rasmus though it was kinda funny. I do too, now.)

/kc

Re: Looking Glass

[Jack Carrozzo]

FWIW Quagga works fine as a looking glass if you don't mind the telnet
interface. Though, if you really want ssh, you could make a user on the
machine whose login script runs 'vtysh' and logs out on exit, however it's
admittedly less elegant.

-Jack Carrozzo

On Tue, Sep 7, 2010 at 4:09 PM, Jens Link  wrote:

> James Bensley  writes:
>
> > Hmm, Google says you could use http://www.zebra.org/ to set your box
> > up as a route, and then you can just view the routes from there?
>
> Aehm, Zebra is dead. Quagga it the successor.
>
> Last change date on zebra.org website is 5 years old.
>
> Jens
> --
> -
> | Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
> | http://blog.quux.de | jabber: jensl...@guug.de | ---  |
> -
>
>

yahoo crawlers hammering us

[Ken Chase]

So i guess im new at internets as my colleagues told me because I havent gone
around to 30-40 systems I control (minus customer self-managed gear) and
installed a restrictive robots.txt everywhere to make the web less useful to
everyone.

Does that really mean that a big outfit like yahoo should be expected to
download stuff at high speed off my customers servers? For varying values of
'high speed', ~500K/s (4Mbps+) for a 3 gig file is kinda... a bit harsh.
Especially for an exe a user left exposed in a webdir, thats possibly (C)
software and shouldnt have been there (now removed by customer, some kinda OS 
boot
cd/toolset thingy).

This makes it look like Yahoo is actually trafficking in pirated software, but
that's kinda too funny to expect to be true, unless some yahoo tech decided to
use that IP/server @yahoo for his nefarious activity, but there are better sites
than my customer's box to get his 'juarez'.

At any rate:

>From Address   To AddressProtoBytesCPS
==
67.196.xx.xx..80   67.195.112.151..44507 tcp14872000 523000

$ host 67.195.112.151 8.8.8.8

151.112.195.67.in-addr.arpa domain name pointer b3091122.crawl.yahoo.net.

CIDR:   67.195.0.0/16
NetName:A-YAHOO-US8

so that's yahoo, or really well spoofed.

Is this expected/my own fault or what?

A number of years ago, there were 1000s of videos on a customer site (training
for elderly care, extremely exciting stuff for someone into -1-day movies to
post on torrent sites). Customer called me to say his bw was gone, and I
checked and found 12 yahoo crawlers hitting the site at 300K/s each (~30Mbps
+) downloading all the videos. This was all the more injurious as it was only
2004 and bandwidth was more than $1/mbps back then. I did the really crass
thing and nullrouted the whole /20 or whatever they were on per ARIN. It was
the new-at-the-time video.yahoo.com search engine coming to index the whole
site. I suppose they cant be too slow about it, or they'll never index a whole
webfull of videos this century, but still, 12x 300K/s in 2004? (At the time
Rasmus though it was kinda funny. I do too, now.)

/kc
-- 
Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

Re: Looking Glass

[Jens Link]

James Bensley  writes:

> Hmm, Google says you could use http://www.zebra.org/ to set your box
> up as a route, and then you can just view the routes from there?

Aehm, Zebra is dead. Quagga it the successor. 

Last change date on zebra.org website is 5 years old.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: just seen my first IPv6 network abuse scan, is this the startfor more?

[Valdis . Kletnieks]

On Tue, 07 Sep 2010 09:03:12 EDT, Jamie Bowden said:

> Now, on to the topic at hand.  Why would you scan the address space in
> the first place?  Wouldn't it be easier to compromise a known host and
> look at the ARP table?  Or better yet, the router on the edge?  If it's
> moving packets, something on the network has mapped the MAC address to
> its IP at some point.

Remember that although there are some truly scary black hats out there, the
vast majority of them are even less technically savvy than your average trainee
banana eater, and will do things so mind-bogglingly stupid that you have to
roll a saving throw at -5 to disbelieve ;)

True incident I worked on sometime last century:

I get called about this AIX box, it's been hosed for "a while", and they can't
login to run the one application they ran literally once a year that they kept
this box around for. Preliminary indications are /etc/passwd is scrozzled.  So
I boot off an install CD and start looking. Takes about 10 seconds to figure
out the box was hacked.

I'm amazed - the machine wasn't fully hardened, and was *way* behind on
patches. On the other hand, it *was* at least tcp-wrappered, and the attacker
managed to fingerprint it as an AIX box without setting any of the wrappers
off.  The guy whacked it with either a telnetd or ftpd exploit, and by looking
at process accounting, I was able to verify it worked on the *first* try.  I'm
suitably impressed at this point - even 15 years ago, AIX wasn't common enough
that most black hats kept exploits in their back pockets (much less know enough
to use them on the first try).

Guy whacks the box on the very first try, and then it gets interesting.

Guy says 'cat > /etc/paswd^[[D^[[Dswd' because he doesn't realize his exploit
rootshell doesn't have line editing.

Guy tries to get in on a second session, realizes his attempt to set a root
backdoor didn't work, so he does this for his second try:

cat > /etc/passwd
foo::1:0::/:
^D

Yep.  1.  Not zero.  And > not >>.  So then when he tries to come in via
telnet again, inetd won't do it because inetd.conf says 'root' and there's no
'root' in /etc/passwd anymore.

Actual forensics work:  about 15 mins. Convincing myself it was a damned lucky
ankle-biter and not a uberhacker leaving a false trail:  most of an 8-hour day.

Or as I said on another list - "Sometimes the data makes a lot more sense if
you ask yourself 'What if the Three Stooges were hackers?'".  And there's no
indication that the bell curve of black hat clue levels has shifted any since
last century.



pgpn8Tq0FsBpd.pgp
Description: PGP signature

Re: whois at rest

[Seth Mattinen]

On 9/7/10 10:23 AM, Jon Lewis wrote:
> More often than not today the only replies I've been getting back from
> the ARIN whois servers is:
> 
> ERROR 503: Unable to service request due to high volume.
> 
> Is there really high volume today, or is the new restful thing broken
> again?
> 

S, it's an improvement over the old ways.

~Seth

Re: IPv4 squatters on the move again?

[todd glassey]

On 9/7/2010 1:24 AM, Tero Toikkanen wrote:
> Anyone hear of the SundownGroup?

yes it is the fictional name - it pertains to a covert operations group
from a Tommy Lee Scott & Gene Hackman movie called "The Package". As I
recall "Operation Sundown" was the op name and it was a bunch of
assassins but there were a number of instances used.

In this instance the SundownGroup (or Sundowner Group) was a specialized
Army strikeforce who was about to assassinate the Russian Prime Minister
or somesuch.

TGlassey


> 
> On Thursday we received an interesting RFQ from them and suspect their 
> intentions for requesting an IP assignment isn't exactly what they state. We 
> have already turned them down, but thought others might be interested in 
> their activities as well. RIPE NCC has also been notified of this.
> 
> In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 
> 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block 
> of IP Adresses"
> 
> Their reason for requesting such a large address block was "As we are 
> currently launching our WholesaleVOIP operation we are in desperate need of 
> this IP space as part of our ARIN process we will need these ranges SWIPd to 
> us and we will in turn renumber with ARIN and return the netblocks to you as 
> soon as ours are allocated and routed."
> 
> Interesting tidbits about the company we and the networking community have 
> already found out:
> 
> Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has 
> been notified).
> 
> The contact address is the same as National University Nevada (nu.edu):
> 
> Sundown Capital Management LLC
> 2850 Horizon Ridge Parkway
> Henderson, Nevada 89052
> United States of America
> 
> They also have virtually no Internet presence 
> (http://www.google.com/search?q=%22Sundown+Capital+Management%22)
> The first result shows them as a franchicing company with contact address in 
> California: 
> http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With-Exhibits
> 
> I'd say this case is pretty obvious...
> 
> With Kind Regards,
> --
> Tero Toikkanen
> Nebula Oy Internet Services
> 
> 
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 9.0.851 / Virus Database: 271.1.1/3118 - Release Date: 09/06/10 
> 11:34:00
> 


-- 
//-


This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message.

Thank you for your cooperation.

whois at rest

[Jon Lewis]

More often than not today the only replies I've been getting back from 
the ARIN whois servers is:


ERROR 503: Unable to service request due to high volume.

Is there really high volume today, or is the new restful thing broken 
again?


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: IPv4 squatters on the move again?

[Christopher Morrow]

On Tue, Sep 7, 2010 at 10:35 AM, Jon Lewis  wrote:
> On Tue, 7 Sep 2010, Christopher Morrow wrote:
>> I used to have some quick/dirty instructions for how to verify that
>> the traffic was in fact proxy traffic, something like:
>> 1) log traffic from the soon-to-be-ex-customer (acl logs are fine)
>> 2) pick an external 'top talker'
>> 3) route that /32 to a host you control
>> 4) run NC on the port that /32 is being contacted on
>> 5) rejoice (and shut now ex-customer interface) when you see: "CONNECT
>> smtp.x:25"
>
> Seems like a lot of work when you could just setup a monitor session on
> their port and capture a few minutes of actual spam traffic as evidence just
> before shutting their port.

sorry, can't do monitor on a ptp oc-12 link :(

Re: Looking Glass

[Jason Chambers]

On 9/7/10 7:09 AM, Peter Rudasingwa wrote:
> I have a linux (ubuntu) box and I would like to install a BGP looking
> glass. Are there any out there for free and how can one go about it? Is
> linux the best OS to use?
> 

Setup quagga [1] and write a perl script [2] to "peer" with the box.
The perl script updates a database as BGP events occur.  The rest is
easy web programming.

[1] http://www.quagga.net/
[2] http://search.cpan.org/dist/Net-BGP/


Regards,

--Jason

Re: Looking Glass

[David Hill]

On Tue, Sep 07, 2010 at 05:09:21PM +0300, Peter Rudasingwa wrote:
:I have a linux (ubuntu) box and I would like to install a BGP looking
:glass. Are there any out there for free and how can one go about it?
:Is linux the best OS to use?
:
:Thanks,
:Peter R.

Try OpenBSD w/ OpenBGPd.  It includes a looking glass cgi script. 

-- 
The longer I am out of office, the more infallible I appear to myself.
-- Henry Kissinger


pgpljUS1egNrh.pgp
Description: PGP signature

Re: Looking Glass

[Ryan Shea]

The rancid package includes a perl based looking glass CGI thing.  You may
want to look at that and modify it to suit your needs.

-Ryan

On Tue, Sep 7, 2010 at 11:29 AM, James Bensley  wrote:

> Hmm, Google says you could use http://www.zebra.org/ to set your box
> up as a route, and then you can just view the routes from there?
>
> Or look here; http://www.bgp4.as/tools
>
> --
> Regards,
> James.
>
> http://www.jamesbensley.co.cc/
>
> There are 10 kinds of people in the world; Those who understand
> Vigesimal, and J others...?
>
>

Re: Looking Glass

[Randy Bush]

> I have a linux (ubuntu) box and I would like to install a BGP looking
> glass. Are there any out there for free and how can one go about it?
> Is linux the best OS to use?

i gave up.  all but one required telnet access to the router(s).  and
the one that did ssh did so by including half of the world's archives
of some abhorrent language's libraries.

randy

Re: Looking Glass

[James Bensley]

Hmm, Google says you could use http://www.zebra.org/ to set your box
up as a route, and then you can just view the routes from there?

Or look here; http://www.bgp4.as/tools

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

Looking Glass

[Peter Rudasingwa]

I have a linux (ubuntu) box and I would like to install a BGP looking 
glass. Are there any out there for free and how can one go about it? Is 
linux the best OS to use?


Thanks,
Peter R.

Re: OAM and QinQ

[Frédéric Gabut-Deloraine]

Hello,

We're working on deploying some L2 services over an MPLS network. Our model 
includes a CPE with OAM capabilities and QinQ from the PE to the CPE. For now we 
want to do simple OAM functions from CPE-CPE (no MIPs in the MPLS network). 



Our lab testing has shown some sort of incompatibilities between OAM and QinQ. 
OAM frames are encapsulated with a single VLAN tag (the SVLAN) on the CPE. When 
the PEs only perform SVLAN swapping, everything works fine. If we configure the 
PE to also perform CVLAN manipulation, it drops OAM frames. It likely does not 
know how to process them because they don't have a CVLAN tag. We're working with 
2 CPE vendors and neither of them are able to add 2 VLAN tags to the OAM frames. 


When we tried OAM with our CPE we activated the MEP on the client subif, so the OAM 
frames were encapsulated in both vlan (S and C) and everything worked fine : it was 
Telco System CPE (T280 or T380)


--
Frédéric Gabut-Deloraine

Re: IPv4 squatters on the move again?

[Suresh Ramasubramanian]

Yeah.  This is just the way snowshoe spammers operate - GRE or VPN
tunnels back to a master server, and a /24 full of output points with
throwaway hostnames / reverse dns

On Tue, Sep 7, 2010 at 8:05 PM, Jon Lewis  wrote:
> I haven't seen that excuse/justification from customers.  What I did see
> recently that I have to admit was very slick was a customer who claimed they
> were going to be doing a bunch of remote "terminals" in stores VPN'd into
> their dedi servers and would be streaming video from the servers to the
> clients.  This was of course 99% BS.  There was VPN involvedthey used
> the dedi servers as VPN endpoints for their spam servers that were hosted
> elsewhere.  When we shut them down, there was absolutely nothing
> incriminating of spam operations on their servers...and all they had to do
> was sign up for service at another hosting company, setup the VPN server,
> change the IPs their spam servers VPN to, and they're back in business.
> When sales brought me their initial request, I really didn't believe it, but
> I didn't have good enough cause to reject it.



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: IPv4 squatters on the move again?

[Jon Lewis]

On Tue, 7 Sep 2010, Christopher Morrow wrote:


it used to be (~4-5 years ago) that the spammer code of 'voip service
provider' was really 'we intend on raping proxies all over the planet'
... when you call them out on the random port traffic out of their
pipe they point at their 'business' model that this is 'voip traffic,
you know that rtp uses random ports, right?'


I haven't seen that excuse/justification from customers.  What I did see 
recently that I have to admit was very slick was a customer who claimed 
they were going to be doing a bunch of remote "terminals" in stores VPN'd 
into their dedi servers and would be streaming video from the servers to 
the clients.  This was of course 99% BS.  There was VPN involvedthey 
used the dedi servers as VPN endpoints for their spam servers that were 
hosted elsewhere.  When we shut them down, there was absolutely nothing 
incriminating of spam operations on their servers...and all they had to do 
was sign up for service at another hosting company, setup the VPN server, 
change the IPs their spam servers VPN to, and they're back in business.
When sales brought me their initial request, I really didn't believe it, 
but I didn't have good enough cause to reject it.



I used to have some quick/dirty instructions for how to verify that
the traffic was in fact proxy traffic, something like:
1) log traffic from the soon-to-be-ex-customer (acl logs are fine)
2) pick an external 'top talker'
3) route that /32 to a host you control
4) run NC on the port that /32 is being contacted on
5) rejoice (and shut now ex-customer interface) when you see: "CONNECT
smtp.x:25"


Seems like a lot of work when you could just setup a monitor session on 
their port and capture a few minutes of actual spam traffic as evidence 
just before shutting their port.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: just seen my first IPv6 network abuse scan,

[Joe Greco]

> Forgive the top posting, but Lookout is the corporate standard.

It prevents you from typing at the bottom?  How quaint :-)

> Now, on to the topic at hand.  Why would you scan the address space in
> the first place? 

Maybe because you haven't really thought about the magnitude of the
task?

Maybe you feel that there's some likelihood of certain addresses being
used?  We've seen stupid things under IPv4, and it seems certain that
IPv6 won't be immune to stupid vendor tricks.

> Wouldn't it be easier to compromise a known host and
> look at the ARP table? 

Maybe; however, it's not clear that this would be useful in generating
a complete list of available hosts, though it would certainly provide
the opportunity for finding more of them.

> Or better yet, the router on the edge?  If it's
> moving packets, something on the network has mapped the MAC address to
> its IP at some point.

And if it isn't moving packets, then maybe nothing has.  The devices 
on a network that are just idling and may be forgotten or unloved may
be at a fairly high risk for exploits and all that.  Eventually this
sort of thing is going to be a problem, as the number of network-
attached devices is exploding.  What's going to be more interesting is
the number of devices that are (re-)programmable; we'll eventually see
malware networks that are able to target more than just your CPE/router
device, and will have attack vectors against your ATA, your TV, your
DVR, your fridge, etc.  The trick is to find those devices, but even in
a bad case scenario, where you might have to scan the network to find 
additional devices to infect, the use of scanning alone isn't practical,
but scanning for devices from a given manufacturer's MAC assignment pool
might be, especially if you've essentially got forever in which to do 
it, and certainly sitting there passively on the network snooping is 
very practical.

The fact that many people walk around with a cell phone that has a high
speed processor and lots of memory in it says a lot about where consumer
electronics is going, and that we're likely to be seeing a lot more of
this sort of low-level bad guy activity that is able to target a list of
heterogeneous targets.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: IPv4 squatters on the move again?

[Christopher Morrow]

On Tue, Sep 7, 2010 at 10:03 AM, Jon Lewis  wrote:
> On Tue, 7 Sep 2010, Jeffrey Lyon wrote:
>
>> We see this all the time, usually it involves either a /20 or multiple-/xx
>> that change every month.
>
> If they want frequently changing IPs, it's almost certainly for spamming.
>
> I got the impression with these people they were just trying to get a bunch
> of SWIPs in order to go to ARIN and request as big a block of ipv4 as they
> could get with the intent to chop it up and resell it in pieces as soon as
> ARIN runs out of IPs to satisfy normal requests.

it used to be (~4-5 years ago) that the spammer code of 'voip service
provider' was really 'we intend on raping proxies all over the planet'
... when you call them out on the random port traffic out of their
pipe they point at their 'business' model that this is 'voip traffic,
you know that rtp uses random ports, right?'

I used to have some quick/dirty instructions for how to verify that
the traffic was in fact proxy traffic, something like:
1) log traffic from the soon-to-be-ex-customer (acl logs are fine)
2) pick an external 'top talker'
3) route that /32 to a host you control
4) run NC on the port that /32 is being contacted on
5) rejoice (and shut now ex-customer interface) when you see: "CONNECT
smtp.x:25"

from the connection...

-Chris

Re: IPv4 squatters on the move again?

[Jon Lewis]

On Tue, 7 Sep 2010, Jeffrey Lyon wrote:


We see this all the time, usually it involves either a /20 or multiple-/xx
that change every month.


If they want frequently changing IPs, it's almost certainly for spamming.

I got the impression with these people they were just trying to get a 
bunch of SWIPs in order to go to ARIN and request as big a block of ipv4 
as they could get with the intent to chop it up and resell it in pieces as 
soon as ARIN runs out of IPs to satisfy normal requests.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: ISP port blocking practice

[Randy Bush]

>> i keep hearing that, but am having a hard time finding supporting data.
> 
> Might see the stats from http://cbl.abuseat.org - by AS.  Then compare
> the stats on a non port 25 filtered network (they have stats by AS) to
> stats on a network that is filtered on port 25
> 
> The networks that are filtered on port 25 will of course have any bots
> on that network originating spam by other means (social networks,
> webmail scripting etc), or other types of nastiness (DDoS etc).  But
> you won't find them mailing out direct on port 25.
> 
> The bots are very much there - and if the port 25 filtering were to be
> taken out, you'd at once see the increase in spam volumes.

thank you.  this make sense.  i'm more focused on the receiving end and
signatures.  so more of the same spam does not bother me much.  but i
can see that pure count would matter to many.

randy

Re: IPv4 squatters on the move again?

[Jon Lewis]

On Tue, 7 Sep 2010, Tero Toikkanen wrote:


Anyone hear of the SundownGroup?

On Thursday we received an interesting RFQ from them and suspect their 
intentions for requesting an IP assignment isn't exactly what they state. We 
have already turned them down, but thought others might be interested in their 
activities as well. RIPE NCC has also been notified of this.

In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 GB 
HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of IP 
Adresses"

Their reason for requesting such a large address block was "As we are currently 
launching our WholesaleVOIP operation we are in desperate need of this IP space as part 
of our ARIN process we will need these ranges SWIPd to us and we will in turn renumber 
with ARIN and return the netblocks to you as soon as ours are allocated and routed."

Interesting tidbits about the company we and the networking community have 
already found out:

Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has 
been notified).


They hit up one of our sales guys last week.  I gave it an immediate two 
thumbs down.  I think the sales guy knew the request was bogus and was 
really just showing it to me out of humor.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

OAM and QinQ

[Serge Vautour]

Hello,

We're working on deploying some L2 services over an MPLS network. Our model 
includes a CPE with OAM capabilities and QinQ from the PE to the CPE. For now 
we 
want to do simple OAM functions from CPE-CPE (no MIPs in the MPLS network). 


Our lab testing has shown some sort of incompatibilities between OAM and QinQ. 
OAM frames are encapsulated with a single VLAN tag (the SVLAN) on the CPE. When 
the PEs only perform SVLAN swapping, everything works fine. If we configure the 
PE to also perform CVLAN manipulation, it drops OAM frames. It likely does not 
know how to process them because they don't have a CVLAN tag. We're working 
with 
2 CPE vendors and neither of them are able to add 2 VLAN tags to the OAM 
frames. 


Has anyone else encountered this problem? How do you get around it? One option 
we're looking at is to simply not perform CVLAN manipulation on the PE. This 
means limiting our service to customers. 


Our PEs are all Juniper MX boxes if it helps.

Thanks,
Serge

RE: just seen my first IPv6 network abuse scan, is this the startfor more?

[Jamie Bowden]

Forgive the top posting, but Lookout is the corporate standard.

Now, on to the topic at hand.  Why would you scan the address space in
the first place?  Wouldn't it be easier to compromise a known host and
look at the ARP table?  Or better yet, the router on the edge?  If it's
moving packets, something on the network has mapped the MAC address to
its IP at some point.

Jamie

-Original Message-
From: Dobbins, Roland [mailto:rdobb...@arbor.net] 
Sent: Friday, September 03, 2010 3:42 PM
To: NANOG list
Subject: Re: just seen my first IPv6 network abuse scan, is this the
startfor more?


On Sep 4, 2010, at 12:19 AM, Steven Bellovin wrote:

> See http://www.cs.columbia.edu/~smb/papers/v6worms.pdf

I've seen it and concur with regards to worms (which don't seem to be
very popular, right now, excepting the 'background radiation' of old
Code Red, Nimda, Blaster, Nachi, SQL Slammer, et. al. hosts).  I believe
that hinted scanning is still viable, and I'd argue that the experience
of the OP who kicked off this thread is an indication of same.

---
Roland Dobbins  // 

   Sell your computer and buy a guitar.

RE: IPv4 squatters on the move again?

[Tero Toikkanen]

Yeah, it's pretty obvious from the start. I'd like to see the VoIP-system with 
those requirements...

I just think these cases should be made public to at least slow these guys 
down, just in case someone else is less cluefull :) If these really happen all 
the time in the big world, this list may not be the right place, but just 
something Google can find. This is not first case we have come across requests 
like this, but still not so common in the Finnish hosting scene.

With Kind Regards,
--
Tero Toikkanen
Nebula Oy Internet Services

> Kind of funny how they intend to do enough 'WholesaleVoIP" on a 10Mbps
> connection/1GB RAM  for a /20 :)
> 
> That is a giveaway in itself.
> -Original Message-
> From: Tero Toikkanen 
> Date: Tue, 7 Sep 2010 08:24:05
> To: NANOG list
> Subject: IPv4 squatters on the move again?
> 
> Anyone hear of the SundownGroup?
> 
> On Thursday we received an interesting RFQ from them and suspect their
> intentions for requesting an IP assignment isn't exactly what they state. We
> have already turned them down, but thought others might be interested in
> their activities as well. RIPE NCC has also been notified of this.
> 
> In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM,
> 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block
> of IP Adresses"
> 
> Their reason for requesting such a large address block was "As we are
> currently launching our WholesaleVOIP operation we are in desperate need of
> this IP space as part of our ARIN process we will need these ranges SWIPd to
> us and we will in turn renumber with ARIN and return the netblocks to you as
> soon as ours are allocated and routed."
> 
> Interesting tidbits about the company we and the networking community have
> already found out:
> 
> Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has
> been notified).
> 
> The contact address is the same as National University Nevada (nu.edu):
> 
> Sundown Capital Management LLC
> 2850 Horizon Ridge Parkway
> Henderson, Nevada 89052
> United States of America
> 
> They also have virtually no Internet presence
> (http://www.google.com/search?q=%22Sundown+Capital+Management%22)
> The first result shows them as a franchicing company with contact address in
> California: http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-
> 32709-FDD-With-Exhibits
> 
> I'd say this case is pretty obvious...
> 
> With Kind Regards,
> --
> Tero Toikkanen
> Nebula Oy Internet Services

Re: IPv4 squatters on the move again?

[khatfield]

Kind of funny how they intend to do enough 'WholesaleVoIP" on a 10Mbps 
connection/1GB RAM  for a /20 :) 

That is a giveaway in itself.
-Original Message-
From: Tero Toikkanen 
Date: Tue, 7 Sep 2010 08:24:05 
To: NANOG list
Subject: IPv4 squatters on the move again?

Anyone hear of the SundownGroup?

On Thursday we received an interesting RFQ from them and suspect their 
intentions for requesting an IP assignment isn't exactly what they state. We 
have already turned them down, but thought others might be interested in their 
activities as well. RIPE NCC has also been notified of this.

In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 
GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of 
IP Adresses"

Their reason for requesting such a large address block was "As we are currently 
launching our WholesaleVOIP operation we are in desperate need of this IP space 
as part of our ARIN process we will need these ranges SWIPd to us and we will 
in turn renumber with ARIN and return the netblocks to you as soon as ours are 
allocated and routed."

Interesting tidbits about the company we and the networking community have 
already found out:

Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has 
been notified).

The contact address is the same as National University Nevada (nu.edu):

Sundown Capital Management LLC
2850 Horizon Ridge Parkway
Henderson, Nevada 89052
United States of America

They also have virtually no Internet presence 
(http://www.google.com/search?q=%22Sundown+Capital+Management%22)
The first result shows them as a franchicing company with contact address in 
California: 
http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With-Exhibits

I'd say this case is pretty obvious...

With Kind Regards,
--
Tero Toikkanen
Nebula Oy Internet Services

Re: IPv4 squatters on the move again?

[Jeffrey Lyon]

We see this all the time, usually it involves either a /20 or multiple-/xx
that change every month.

Jeff

On Tue, Sep 7, 2010 at 12:54 PM, Tero Toikkanen wrote:

> Anyone hear of the SundownGroup?
>
> On Thursday we received an interesting RFQ from them and suspect their
> intentions for requesting an IP assignment isn't exactly what they state. We
> have already turned them down, but thought others might be interested in
> their activities as well. RIPE NCC has also been notified of this.
>
> In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB
> RAM, 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net
> block of IP Adresses"
>
> Their reason for requesting such a large address block was "As we are
> currently launching our WholesaleVOIP operation we are in desperate need of
> this IP space as part of our ARIN process we will need these ranges SWIPd to
> us and we will in turn renumber with ARIN and return the netblocks to you as
> soon as ours are allocated and routed."
>
> Interesting tidbits about the company we and the networking community have
> already found out:
>
> Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast
> has been notified).
>
> The contact address is the same as National University Nevada (nu.edu):
>
> Sundown Capital Management LLC
> 2850 Horizon Ridge Parkway
> Henderson, Nevada 89052
> United States of America
>
> They also have virtually no Internet presence (
> http://www.google.com/search?q=%22Sundown+Capital+Management%22)
> The first result shows them as a franchicing company with contact address
> in California:
> http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With-Exhibits
>
> I'd say this case is pretty obvious...
>
> With Kind Regards,
> --
> Tero Toikkanen
> Nebula Oy Internet Services
>
>


-- 

Jeffrey Lyon, Leadership Team
jeffrey.l...@blacklotus.net | http://www.blacklotus.net
Black Lotus Communications - AS32421
First and Leading in DDoS Protection Solutions

IPv4 squatters on the move again?

[Tero Toikkanen]

Anyone hear of the SundownGroup?

On Thursday we received an interesting RFQ from them and suspect their 
intentions for requesting an IP assignment isn't exactly what they state. We 
have already turned them down, but thought others might be interested in their 
activities as well. RIPE NCC has also been notified of this.

In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 
GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of 
IP Adresses"

Their reason for requesting such a large address block was "As we are currently 
launching our WholesaleVOIP operation we are in desperate need of this IP space 
as part of our ARIN process we will need these ranges SWIPd to us and we will 
in turn renumber with ARIN and return the netblocks to you as soon as ours are 
allocated and routed."

Interesting tidbits about the company we and the networking community have 
already found out:

Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has 
been notified).

The contact address is the same as National University Nevada (nu.edu):

Sundown Capital Management LLC
2850 Horizon Ridge Parkway
Henderson, Nevada 89052
United States of America

They also have virtually no Internet presence 
(http://www.google.com/search?q=%22Sundown+Capital+Management%22)
The first result shows them as a franchicing company with contact address in 
California: 
http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With-Exhibits

I'd say this case is pretty obvious...

With Kind Regards,
--
Tero Toikkanen
Nebula Oy Internet Services