Re: A fascinating piece of spam

[Joly MacFie]

Nanog is available via at least two archives on the public web - try
googling any line of text - even this
one
.

j

On Tue, Dec 7, 2010 at 10:08 PM, Marshall Eubanks wrote:

> I have been seeing "targeted" spam for a while now - typically from someone
> with my last name and a random first name,
> and a familiar subject line.
>
> Just wait until they start using the _text_ from open mail lists as well.
>
> Regards
> Marshall
>
>
>
-- 
---
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
  Secretary - ISOC-NY - http://isoc-ny.org
---

Re: Over a decade of DDOS--any progress yet?

[James Hess]

On Mon, Dec 6, 2010 at 1:50 AM, Sean Donelan  wrote:

> February 2000 weren't the first DDOS attacks, but the attacks on multiple
> Other than buying lots of bandwidth and scrubber boxes, have any other DDOS
> attack vectors been stopped or rendered useless during the last decade?

Very little,  no, and no.
Not counting occasional application bugs that are quickly fixed.
Even TCP weaknesses that can facilitate attack are still present in
the protocol.

New vectors and variations of those old vectors emerged since the 1990s.
So there is an increase in the number of attack vectors to be
concerned about, not a reduction.

SYN and Smurf are Swords and spears after someone came up with atomic weaponry.
The atomic weaponry named "bot net". Which is why there is less
concern about the former
types of  single-real-origin-spoofed-source attacks.


Botnet-based DDoS is just "Smurf"  where amplification nodes are
obtained by system compromise,
instead of router misconfiguration,  and a minor variation on the
theme where the chain
reaction is not started by sending spoofed ICMP ECHOs.

Since 2005 there are new beasts such as "Slowloris" and "DNS Reflection".
DNS Reflection attacks are a more direct successor to smurf;  true
smurf broadcast
amplification points are rare today,  diminishing returns for the
attacker, trying to find
the 5 or 6 misconfigured gateways out there, but that doesn't   diminish
the vector of spoofed  small request large response attacks.

Open DNS servers are everywhere.

SYN attacks traditionally come from a small number of sources and rely
on spoofing
to attack limitations on available number of connection slots for success.

New vectors that became most well-known in the late 90s utilize
botnets, and an attacker
can make full connections therefore requiring zero spoofing, negating
the benefit of SYN cookies.

In other words, SYN floods got supplanted by TCP_Connect  floods.



-- 
-JH

Re: Over a decade of DDOS--any progress yet?

[Adrian Chadd]

On Wed, Dec 08, 2010, Dobbins, Roland wrote:
> 
> On Dec 8, 2010, at 11:52 AM, Adrian Chadd wrote:
> 
> > The real problem is people.
> 
> Well, yes - but short of mass bombardment, eliminating people doesn't scale 
> very well, and is generally frowned upon.
> 
> ;>

I think history can conclusively state we're much, much better at eliminating
people then we are hacked boxes; that politicians seem much happier somehow
about the former than the latter; and our collective "clue" at being able to
do so is growing much faster than our electronic toolkits. :-)

(Oh god. :-)



Adrian

Re: Over a decade of DDOS--any progress yet?

[Dobbins, Roland]

On Dec 8, 2010, at 11:52 AM, Adrian Chadd wrote:

> The real problem is people.

Well, yes - but short of mass bombardment, eliminating people doesn't scale 
very well, and is generally frowned upon.

;>

---
Roland Dobbins  // 

 Sell your computer and buy a guitar.

Re: Over a decade of DDOS--any progress yet?

[Adrian Chadd]

Botnets are the symptom.

The real problem is people.



Adrian

On Wed, Dec 08, 2010, Dobbins, Roland wrote:
> 
> On Dec 8, 2010, at 11:26 AM, Sean Donelan wrote:
> 
> > Other than trying to hide your real address, what can be done to prevent 
> > DDOS in the first place.
> 
> 
> DDoS is just a symptom.  The problem is botnets.  
> 
> Preventing hosts from becoming bots in the first place and taking down 
> existing botnets is the only way to actually *prevent* DDoS attacks.  Note 
> that prevention is distinct from *defending* oneself against DDoS attacks.
> 
> ---
> Roland Dobbins  // 
> 
>  Sell your computer and buy a guitar.
> 
> 
> 
> 

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -

Re: Over a decade of DDOS--any progress yet?

[Dobbins, Roland]

On Dec 8, 2010, at 11:26 AM, Sean Donelan wrote:

> Other than trying to hide your real address, what can be done to prevent DDOS 
> in the first place.


DDoS is just a symptom.  The problem is botnets.  

Preventing hosts from becoming bots in the first place and taking down existing 
botnets is the only way to actually *prevent* DDoS attacks.  Note that 
prevention is distinct from *defending* oneself against DDoS attacks.

---
Roland Dobbins  // 

   Sell your computer and buy a guitar.

Re: Over a decade of DDOS--any progress yet?

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, Dec 7, 2010 at 8:32 PM, Patrick W. Gilmore 
wrote:

> On Dec 7, 2010, at 11:26 PM, Sean Donelan wrote:

>> Other than trying to hide your real address, what can be done to prevent
>> DDOS in the first place.
>
> Don't piss people off on IRC? :)
>

After I laughed for a minute or two, you're exactly right -- although the
social & political issues involved go far beyond IRC.

Witness the back-and-forth DoS attacks involving Wikileaks and
Anti-Wikileaks proponents going on right now.

But this is not a new phenomenon -- every time there is a perceived insult
or slight against Chinese pride/culture, it always spurs some sort of DoS
attack scenario with grassroots support.

These sorts of attacks have been going on for years, and will escalate far
into the future, methinks.

$.02,

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFM/wulq1pz9mNUZTMRAmITAJ4jZwSSA6dlSN0biMOcSu2FpMPKfwCgp8Qd
FQ9mWdVujVK99fxiXdyYWO4=
=Mo1H
-END PGP SIGNATURE-


-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Abuse@ contacts

[Suresh Ramasubramanian]

On Wed, Dec 8, 2010 at 3:30 AM, Shaun Ewing  wrote:
> As mentioned previously, a lot of the traffic in abuse queues is automated
> and you might have anywhere up to 100 emails for a single incident. In
> these cases, we merge the messages into one ticket, handle the case and
> close it off.

Speaking as someone who's been running abuse desks since the mid 90s
[still late to the party compared to other posters in this thread like
say, Joe Greco, but what the heck, hi joe, hope you agree]

Add to it the fact that you get far less "actual email" coming into
abuse desks these days.   Far more email that's scripted / at least
semi automated by smaller trap operators / some small ISPs /
spamcop.net

ARF'd feedback loops from the large providers (which are mutually
provided to each other - each large provider offers one, and
subscribes to those provided by other SPs) are usually sent to a
separate address and auto processed.

-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Over a decade of DDOS--any progress yet?

[Patrick W. Gilmore]

On Dec 7, 2010, at 11:26 PM, Sean Donelan wrote:
> On Mon, 6 Dec 2010, Patrick W. Gilmore wrote:
>>> But as you and others have pointed out, not a lot of defense against
>>> DDoS these days besides horsepower and anycast. :-)
>> 
>> Not just anycast.  I said distributed architecture.  There are more ways to 
>> distribute than anycast.
> 
> The content-side can be duplicated, replicated, distributed.  On the
> eyeball-side its not as easy to replicate things.  DDOS against user
> networks doesn't generate as much publicity, outside of the gammer world, but 
> is also a problem.
> 
> Other than trying to hide your real address, what can be done to prevent
> DDOS in the first place.

Don't piss people off on IRC? :)

-- 
TTFN,
patrick

Re: Over a decade of DDOS--any progress yet?

[Sean Donelan]

On Mon, 6 Dec 2010, Patrick W. Gilmore wrote:

But as you and others have pointed out, not a lot of defense against
DDoS these days besides horsepower and anycast. :-)


Not just anycast.  I said distributed architecture.  There are more 
ways to distribute than anycast.


The content-side can be duplicated, replicated, distributed.  On the
eyeball-side its not as easy to replicate things.  DDOS against user
networks doesn't generate as much publicity, outside of the gammer world, 
but is also a problem.


Other than trying to hide your real address, what can be done to prevent
DDOS in the first place.

Re: A fascinating piece of spam

[Marshall Eubanks]

I have been seeing "targeted" spam for a while now - typically from someone 
with my last name and a random first name,
and a familiar subject line. 

Just wait until they start using the _text_ from open mail lists as well.

Regards
Marshall


On Dec 7, 2010, at 6:46 PM, Joe Greco wrote:

>> Well -- spammers are following the NANOG list in real-time, it seems.  A =
>> few hours after my post this afternoon, I received some spam with a =
>> correct Subject: line for that post.  I'll be happy to forward the email =
>> to anyone who wants to analyze it or find the offender and permanently =
>> blacklist "her" from NANOG...
> 
> Funny you should mention that.  About two seconds before your message,
> I got such a bit of spam.
> 
>> From carlafletche...@yahoo.com  Tue Dec  7 17:43:02 2010
>> Return-Path: 
>> Received: from nm15.bullet.mail.ne1.yahoo.com 
>> (nm15.bullet.mail.ne1.yahoo.com [98.138.90.78])
>>by mx1.sol.net (8.14.4/8.14.4/SNNS-1.04) with SMTP id oB7Ngtf7002716
>>for ; Tue, 7 Dec 2010 17:43:00 -0600 (CST)
>> Received: from [98.138.90.51] by nm15.bullet.mail.ne1.yahoo.com with NNFMP; 
>> 07 Dec 2010 23:42:50 -
>> Received: from [98.138.87.1] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 07 
>> Dec 2010 23:42:50 -
>> Received: from [127.0.0.1] by omp1001.mail.ne1.yahoo.com with NNFMP; 07 Dec 
>> 2010 23:42:50 -
>> X-Yahoo-Newman-Property: ymail-3
>> X-Yahoo-Newman-Id: 9187.54043...@omp1001.mail.ne1.yahoo.com
>> Received: (qmail 17052 invoked by uid 60001); 7 Dec 2010 23:42:49 -
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; 
>> t=1291765369; bh=Nwik8gyzMPW2hSR2Fc+0a6ZUu1s5oHBhOjv0Shs9wCE=; 
>> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
>>  
>> b=4Yw5bYZ0DJq7pbortuz7YK0J5opr+dQ0vk3FJ3V5uTF/jVuFRcu9hJxBZ/8u4xakvycmSMYOFDMR3oFL6t2JmSt3x4JZmCnDjlS79cL3arFsW/a0aBm9pubfPCYqijis3iCY6uNhji6JxYe0OWsMlHU3qTNohvs+dwMUl/gQ8R0=
>> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>>  s=s1024; d=yahoo.com;
>>  
>> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
>>  
>> b=a+L6kibArtNLl3qtSuIHEDxKt2dZfrXLRiUE91IWnNsW6NZ11W6RG51LRXFK288erRYh7k9t2evvpBxbkAH7XKQ/B/+lIBaZqgZ5ON3MC3ziMmhrjn3UIX1o1obMDz0vO7R94K4iapDIpVlD9xXPOSgc1ENMoW8GA6eoKKRDUbs=;
>> Message-ID: <828073.58184...@web120306.mail.ne1.yahoo.com>
>> X-YMail-OSG: tTFoZPoVM1lORXP10bFDAvyxx.jFIQDoUGJ6hUxCf6q8Tbk
>> 8RkTR2Q6BakFB1l6t1W5BdZ4fPFVQEWRX_TSB16hGCUxPmFhrTru8ItaSrSg
>> oF9x5JBC6GwAHAwzXaeCohqEqZsyOLa9vBCXu_kKyxJv_zCea2QtIZ_PFH23
>> rGr_j.u85nfOQA_6VJ3uLvtpJ75N0.ufEudhqcR6ZhL4bPb8LTxKYxAtZQ2N
>> _j50f7Uf_DOQ-
>> Received: from [173.208.43.151] by web120306.mail.ne1.yahoo.com via HTTP; 
>> Tue, 07 Dec 2010 15:42:49 PST
>> X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.107.285259
>> Date: Tue, 7 Dec 2010 15:42:49 -0800 (PST)
>> From: Carla Fletcher 
>> Reply-To: carlafletche...@yahoo.com
>> Subject: Re: Re: Abuse@ contacts
>> To: jgr...@ns.sol.net
> 
> I didn't know that anybody was still keying on subject lines; our spam
> filter tossed it anyways.
> 
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail 
> spam(CNN)
> With 24 million small businesses in the US alone, that's way too many apples.
> 
> 

Re: A fascinating piece of spam

[kris foster]

All

Taken care of (at least for the @yahoo address I received the spam from).

Chris and Steven, mind fwd'ing the problem emails to adm...@nanog.org?

Kris

On Dec 7, 2010, at 6:19 PM, Christopher Morrow wrote:

> same, sent via yahoomail webmail (I think):
> srcaddr: 173.208.103.211
> 
> On Tue, Dec 7, 2010 at 8:46 PM, Scott Weeks  wrote:
>> 
>> 
>> --- s...@cs.columbia.edu wrote:
>> From: Steven Bellovin 
>> 
>> Yup, same purported sender...
>> 
>> 
>> 
>>> From what company?  So we don't make the mistake of buying from them.
>> 
>> scott
>> 
>> 
> 

Re: A fascinating piece of spam

[Christopher Morrow]

same, sent via yahoomail webmail (I think):
srcaddr: 173.208.103.211

On Tue, Dec 7, 2010 at 8:46 PM, Scott Weeks  wrote:
>
>
> --- s...@cs.columbia.edu wrote:
> From: Steven Bellovin 
>
> Yup, same purported sender...
> 
>
>
> >From what company?  So we don't make the mistake of buying from them.
>
> scott
>
>

Re: ipfix/netflow/sflow generator for Linux

[Dobbins, Roland]

On Dec 7, 2010, at 8:27 PM, Thomas York wrote:

> Yes, you can statically set it but that will drastically skew the data in 
> this environment. 


What are you attempting to do that northbound/southbound isn't Good Enough?

---
Roland Dobbins  // 

   Sell your computer and buy a guitar.

Re: A fascinating piece of spam

[Scott Weeks]

From: "Scott Weeks" 
From: Steven Bellovin 

Yup, same purported sender...


>From what company?  So we don't make the mistake of buying from them.
--




Never mind, I got one too.

www.bradleydentaloffice.com


8  ae1d0.mcr1.saltlake2-ut.us.xo.net (216.156.1.2)  
9  ip65-46-63-46.z63-46-65.customer.algx.net (65.46.63.46)
10  206.130.126.61.west-datacenter.net (206.130.126.61)
11  68.169.38.135.static.westdc.net (68.169.38.135)

Someone from Westhost here?   them please!

scott

Re: A fascinating piece of spam

[Scott Weeks]

--- s...@cs.columbia.edu wrote:
From: Steven Bellovin 

Yup, same purported sender...



>From what company?  So we don't make the mistake of buying from them.

scott

Re: A fascinating piece of spam

[Steven Bellovin]

Yup, same purported sender...


On Dec 7, 2010, at 6:46 40PM, Joe Greco wrote:

>> Well -- spammers are following the NANOG list in real-time, it seems.  A =
>> few hours after my post this afternoon, I received some spam with a =
>> correct Subject: line for that post.  I'll be happy to forward the email =
>> to anyone who wants to analyze it or find the offender and permanently =
>> blacklist "her" from NANOG...
> 
> Funny you should mention that.  About two seconds before your message,
> I got such a bit of spam.
> 
>> From carlafletche...@yahoo.com  Tue Dec  7 17:43:02 2010
>> Return-Path: 
>> Received: from nm15.bullet.mail.ne1.yahoo.com 
>> (nm15.bullet.mail.ne1.yahoo.com [98.138.90.78])
>>by mx1.sol.net (8.14.4/8.14.4/SNNS-1.04) with SMTP id oB7Ngtf7002716
>>for ; Tue, 7 Dec 2010 17:43:00 -0600 (CST)
>> Received: from [98.138.90.51] by nm15.bullet.mail.ne1.yahoo.com with NNFMP; 
>> 07 Dec 2010 23:42:50 -
>> Received: from [98.138.87.1] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 07 
>> Dec 2010 23:42:50 -
>> Received: from [127.0.0.1] by omp1001.mail.ne1.yahoo.com with NNFMP; 07 Dec 
>> 2010 23:42:50 -
>> X-Yahoo-Newman-Property: ymail-3
>> X-Yahoo-Newman-Id: 9187.54043...@omp1001.mail.ne1.yahoo.com
>> Received: (qmail 17052 invoked by uid 60001); 7 Dec 2010 23:42:49 -
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; 
>> t=1291765369; bh=Nwik8gyzMPW2hSR2Fc+0a6ZUu1s5oHBhOjv0Shs9wCE=; 
>> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
>>  
>> b=4Yw5bYZ0DJq7pbortuz7YK0J5opr+dQ0vk3FJ3V5uTF/jVuFRcu9hJxBZ/8u4xakvycmSMYOFDMR3oFL6t2JmSt3x4JZmCnDjlS79cL3arFsW/a0aBm9pubfPCYqijis3iCY6uNhji6JxYe0OWsMlHU3qTNohvs+dwMUl/gQ8R0=
>> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>>  s=s1024; d=yahoo.com;
>>  
>> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
>>  
>> b=a+L6kibArtNLl3qtSuIHEDxKt2dZfrXLRiUE91IWnNsW6NZ11W6RG51LRXFK288erRYh7k9t2evvpBxbkAH7XKQ/B/+lIBaZqgZ5ON3MC3ziMmhrjn3UIX1o1obMDz0vO7R94K4iapDIpVlD9xXPOSgc1ENMoW8GA6eoKKRDUbs=;
>> Message-ID: <828073.58184...@web120306.mail.ne1.yahoo.com>
>> X-YMail-OSG: tTFoZPoVM1lORXP10bFDAvyxx.jFIQDoUGJ6hUxCf6q8Tbk
>> 8RkTR2Q6BakFB1l6t1W5BdZ4fPFVQEWRX_TSB16hGCUxPmFhrTru8ItaSrSg
>> oF9x5JBC6GwAHAwzXaeCohqEqZsyOLa9vBCXu_kKyxJv_zCea2QtIZ_PFH23
>> rGr_j.u85nfOQA_6VJ3uLvtpJ75N0.ufEudhqcR6ZhL4bPb8LTxKYxAtZQ2N
>> _j50f7Uf_DOQ-
>> Received: from [173.208.43.151] by web120306.mail.ne1.yahoo.com via HTTP; 
>> Tue, 07 Dec 2010 15:42:49 PST
>> X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.107.285259
>> Date: Tue, 7 Dec 2010 15:42:49 -0800 (PST)
>> From: Carla Fletcher 
>> Reply-To: carlafletche...@yahoo.com
>> Subject: Re: Re: Abuse@ contacts
>> To: jgr...@ns.sol.net
> 
> I didn't know that anybody was still keying on subject lines; our spam
> filter tossed it anyways.
> 
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail 
> spam(CNN)
> With 24 million small businesses in the US alone, that's way too many apples.
> 


--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: A fascinating piece of spam

[Joe Greco]

> Well -- spammers are following the NANOG list in real-time, it seems.  A =
> few hours after my post this afternoon, I received some spam with a =
> correct Subject: line for that post.  I'll be happy to forward the email =
> to anyone who wants to analyze it or find the offender and permanently =
> blacklist "her" from NANOG...

Funny you should mention that.  About two seconds before your message,
I got such a bit of spam.

> From carlafletche...@yahoo.com  Tue Dec  7 17:43:02 2010
> Return-Path: 
> Received: from nm15.bullet.mail.ne1.yahoo.com (nm15.bullet.mail.ne1.yahoo.com 
> [98.138.90.78])
> by mx1.sol.net (8.14.4/8.14.4/SNNS-1.04) with SMTP id oB7Ngtf7002716
> for ; Tue, 7 Dec 2010 17:43:00 -0600 (CST)
> Received: from [98.138.90.51] by nm15.bullet.mail.ne1.yahoo.com with NNFMP; 
> 07 Dec 2010 23:42:50 -
> Received: from [98.138.87.1] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 07 
> Dec 2010 23:42:50 -
> Received: from [127.0.0.1] by omp1001.mail.ne1.yahoo.com with NNFMP; 07 Dec 
> 2010 23:42:50 -
> X-Yahoo-Newman-Property: ymail-3
> X-Yahoo-Newman-Id: 9187.54043...@omp1001.mail.ne1.yahoo.com
> Received: (qmail 17052 invoked by uid 60001); 7 Dec 2010 23:42:49 -
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; 
> t=1291765369; bh=Nwik8gyzMPW2hSR2Fc+0a6ZUu1s5oHBhOjv0Shs9wCE=; 
> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
>  
> b=4Yw5bYZ0DJq7pbortuz7YK0J5opr+dQ0vk3FJ3V5uTF/jVuFRcu9hJxBZ/8u4xakvycmSMYOFDMR3oFL6t2JmSt3x4JZmCnDjlS79cL3arFsW/a0aBm9pubfPCYqijis3iCY6uNhji6JxYe0OWsMlHU3qTNohvs+dwMUl/gQ8R0=
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>   s=s1024; d=yahoo.com;
>   
> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
>   
> b=a+L6kibArtNLl3qtSuIHEDxKt2dZfrXLRiUE91IWnNsW6NZ11W6RG51LRXFK288erRYh7k9t2evvpBxbkAH7XKQ/B/+lIBaZqgZ5ON3MC3ziMmhrjn3UIX1o1obMDz0vO7R94K4iapDIpVlD9xXPOSgc1ENMoW8GA6eoKKRDUbs=;
> Message-ID: <828073.58184...@web120306.mail.ne1.yahoo.com>
> X-YMail-OSG: tTFoZPoVM1lORXP10bFDAvyxx.jFIQDoUGJ6hUxCf6q8Tbk
>  8RkTR2Q6BakFB1l6t1W5BdZ4fPFVQEWRX_TSB16hGCUxPmFhrTru8ItaSrSg
>  oF9x5JBC6GwAHAwzXaeCohqEqZsyOLa9vBCXu_kKyxJv_zCea2QtIZ_PFH23
>  rGr_j.u85nfOQA_6VJ3uLvtpJ75N0.ufEudhqcR6ZhL4bPb8LTxKYxAtZQ2N
>  _j50f7Uf_DOQ-
> Received: from [173.208.43.151] by web120306.mail.ne1.yahoo.com via HTTP; 
> Tue, 07 Dec 2010 15:42:49 PST
> X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.107.285259
> Date: Tue, 7 Dec 2010 15:42:49 -0800 (PST)
> From: Carla Fletcher 
> Reply-To: carlafletche...@yahoo.com
> Subject: Re: Re: Abuse@ contacts
> To: jgr...@ns.sol.net

I didn't know that anybody was still keying on subject lines; our spam
filter tossed it anyways.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

A fascinating piece of spam

[Steven Bellovin]

Well -- spammers are following the NANOG list in real-time, it seems.  A few 
hours after my post this afternoon, I received some spam with a correct 
Subject: line for that post.  I'll be happy to forward the email to anyone who 
wants to analyze it or find the offender and permanently blacklist "her" from 
NANOG...

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: ARIN space not accepted

[Valdis . Kletnieks]

On Mon, 06 Dec 2010 17:02:40 PST, somebody said:
> >>> From: valdis.kletni...@vt.edu
>  From: valdis.kletni...@vt.edu
> >>> Date: Fri, 03 Dec 2010 20:00:15 -0500
> 
>  224/3
> >>> Oh. And don't forget to do *bidirectional* filtering of these addresses. 
> >>> ;)
> >> Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues
> >> if you accept multicast traffic from anyone.

If you're smart enough to actually do multicast, you're smart enough to remove
the filter for 224/3.  If you're not smart enough to remove the filter, or
you're smart enough but you're one of the 95% that doesn't do multicast, your
site should be doing bidirectional filtering of 224/3. ;)

(Do you really want your users emitting outbound packets to/from 224/3 if you
don't actually do multicast? Probably not...)


pgp164pGeb27j.pgp
Description: PGP signature

BGP attribute 128 activity

[Jared Mauch]

Has anyone else been observing this?  This appears to be ATTR_SET and is 
appearing at route-views.

Was curious if anyone else was tracking this (or the origin ;)).

It's been going on for some time now and it's not seemed to cause any troubles 
(part of the reason i monitor for these attributes, early telemetry of 
attribute noise that has caused vendors trouble..).

- Jared

-- snip --
 00 00 FD 88 40 01 01 02  40 02 00 40 05 04 00 00  
 00 64

ARIN receives 2 new /8 blocks

[Leslie Nobile]

Hello-

ARIN received the IPv4 address blocks 23.0.0.0/8 and 100.0.0.0/8 from the IANA 
on November 30, 2010.  We will begin making allocations of /22 and shorter 
prefixes from these blocks in the near future in accordance with ARIN’s minimum 
allocation policy.

Network operators may wish to adjust any filters in place accordingly.

For informational purposes, a list of ARIN's currently administered IP address 
blocks can be found at:

https://www.arin.net/knowledge/ip_blocks.html

Regards,

Leslie Nobile
Director, Registration Services
American Registry for Internet Numbers (ARIN)

RE: Lightning Debates at NANOG 51

[George Bonser]

> From: Tom Daly 
> Sent: Tuesday, December 07, 2010 12:41 PM
> To: George Bonser
> Cc: nanog@nanog.org; Greg Whynott
> Subject: Re: Lightning Debates at NANOG 51
> 
> > A good topic might be ipv6 migration strategies:  dual stack or
> native
> > v6 with nat64/dns64
> 
> Alright, added. Are you volunteering to speak to one point or the
> other?

I might be happy to submit something written but won't be able to get there in 
person.  Being a sole full-time parent causes some adjustment in priorities.

I would certainly be interested in the opinions of others, too.

Re: Lightning Debates at NANOG 51

[kris foster]

This is nanog-futures stuff and/or community meeting stuff.

Kris

On Dec 7, 2010, at 2:12 PM, Christian Pena wrote:

> I agree, I just joined the list today and was about to unsubscribe because of 
> all the realtively useless posts 
> 
> "Leo Bicknell"  wrote:
> 
>> 
>> I have a suggestion...
>> 
>> Nanog Mailing List: Critical Operational Content vs. Break time
>> Amusement
>> 
>> *ducks*
>> 
>> -- 
>>  Leo Bicknell - bickn...@ufp.org - CCIE 3440
>>   PGP keys at http://www.ufp.org/~bicknell/
> 
> -- 
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> 

Re: Lightning Debates at NANOG 51

[Christian Pena]

I agree, I just joined the list today and was about to unsubscribe because of 
all the realtively useless posts 

"Leo Bicknell"  wrote:

>
>I have a suggestion...
>
>Nanog Mailing List: Critical Operational Content vs. Break time
>Amusement
>
>*ducks*
>
>-- 
>   Leo Bicknell - bickn...@ufp.org - CCIE 3440
>PGP keys at http://www.ufp.org/~bicknell/

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: Abuse@ contacts

[Shaun Ewing]

From: Gavin Pearce 

>How many of you (honestly) actively manage and respond to abuse@ contact
>details listed in WHOIS? Or have had any luck with abuse@ contacts in
>the past? Who's good and who isn't?
>

We monitor our abuse queues, but when the email is just a stock standard
incident (eg: spam or phishing) we don't actually reply to the emails
unless more information is required.

As mentioned previously, a lot of the traffic in abuse queues is automated
and you might have anywhere up to 100 emails for a single incident. In
these cases, we merge the messages into one ticket, handle the case and
close it off.

The nature of our business (hosting) means that we do get a decent amount
of abuse traffic - ranging from compromised out of date CMSs used to send
spam or host phishing sites right through to fraudulent accounts again
used to send spam.

Rather than hire additional staff to respond to the each abuse email
individually we prefer to invest in systems to stop the abuse in the first
place. For example, all outbound email from our shared hosting network is
checked for spam/viruses and any unusual traffic (such as a spike from a
customer who typically only sends a few messages a day) is flagged.

-Shaun

Re: Lightning Debates at NANOG 51

[Jac Kloots]

On Tue, 7 Dec 2010, Owen DeLong wrote:


Ethernet: 40GE vs. 100GE


ROFL


Even more interesting is the 100GE Optics debate. Standardized (expensive 
and very scarce) 100GBASE-LR4 vs non-standard but cheaper and easier to 
manufacture LR10 (based on 10x 10Gbit/s on a very narrow DWDM-grid)..


Jac


--
Jac Kloots
Network Services
SURFnet bv

Re: Lightning Debates at NANOG 51

[Scott Weeks]

--- t...@dyn.com wrote:From: Tom Daly 
> > Ethernet: 40GE vs. 100GE
> people are debating which is better?   really?

I'm sure someone has an opinion...



On NANOG?  Naahhh  >;-)


scott

Re: Lightning Debates at NANOG 51

[John Kristoff]

On Tue, 7 Dec 2010 15:24:16 -0500 (EST)
Tom Daly  wrote:

> They are meant to be informative. Maybe you have no idea on what XFP
> or SFP+ is because you've been running a Gigabit based network and
> haven't made the jump to 10GE yet - the debate might give you the top
> 3-5 points on why each might be the right option for you. And then,
> of course, there is a fun factor.

Hi Tom,

I think this could work.  However, instead of in terms of X versus Y,
I'd suggest coming up with some proposition, such as "You need to be
deploying IPv6 right now" and let people sign up for the affirmative or
negative.

John

Re: Lightning Debates at NANOG 51

[Tom Daly]

Greg,

> i suspect you are correct,  not sure who would elect for the slower
> standard,  considering they hit the streets fairly close to each other
> and I can't see there being a huge difference in cost, but i could be
> wrong. (the isp i'm connected to is running100G now)

Regarding 40G/100G, I'm sure some in the NANOG community have some feeling 
towards 40G as it was intended to be a server platform standard. With 
architectures such as 1aq, TRILL, VL2, etc, there may be some grounds here. 
What's the good of 100G if you can't push the PPS, for example. Just a 
thought...

> i've more 10G ports than you can shake a stick at actually…  my '?'
> was again,  people debate this?  as the bit rates are verbatum,  the
> major difference which one would choose the other over from my
> understanding was distance to endpoint..  but again i could be wrong… 
> wishing now i didn't send anything.  8)

Nah, send away. What debate were you volunteering to take a position on again? 
:)

Tom

Re: Abuse@ contacts

[Christopher Morrow]

On Tue, Dec 7, 2010 at 11:39 AM, Gavin Pearce  wrote:
> Hello,
>
>
>
> After a weekend of heavy spam last month, we decided to fire some
> reports over to the abuse contacts for each relevant IP or domain - some
> US/Europe based, others from more "obscure" locations.
>
>
>
> We've not had a reply from any of the reports sent over, other than some
> automated bounces. Each report from us contained detailed information
> about IP, date, headers, spam content, relevant ranges etc ...
>
>
>
> How many of you (honestly) actively manage and respond to abuse@ contact
> details listed in WHOIS? Or have had any luck with abuse@ contacts in
> the past? Who's good and who isn't?

lack or reply to abuse@ does not mean the box is unmonitored... just
that they don't feel it's helpful to reply to inbound mail with ..
more mail, especially when much of the inbound mail is automated.

> Apologies in advance if this has been around before - I'm new here.   (:

sure.

-chris

Re: Lightning Debates at NANOG 51

[Tom Daly]

> In most cases it isn't an option, you use what the hardware uses.  I
> can't decide to use an SFP+ in a unit with XFP form factor.  I select
> the hardware according to the features I need and then buy the optics
> it requires, I don't select the hardware based on the optics modules
> it uses.  The only drawback I have seen so far is finding ER optics in
> SFP+ form factor but they might be available now (I couldn't find them
> a year or so ago).

George,
Good point. Perhaps the context should be more nebulous? Given a choice in an 
ideal word, not limited by the selection of hardware manufactures, which do you 
prefer? ras did a good talk on optics in the past, I'm sure there's some points 
to discuss.

> A good topic might be ipv6 migration strategies:  dual stack or native
> v6 with nat64/dns64

Alright, added. Are you volunteering to speak to one point or the other?

Thanks,
Tom

Re: Lightning Debates at NANOG 51

[Greg Whynott]

>
> Excuse me. Raised floor vs. overhead.

ahh that makes much more sense,  thanks Tom.

>
> I'm sure someone has an opinion…

i suspect you are correct,  not sure who would elect for the slower standard,  
considering they hit the streets fairly close to each other and I can't see 
there being a huge difference in cost, but i could be wrong. (the isp i'm 
connected to is running100G now)

>
>>> Optics: XFP vs. SFP+
>> Maybe you have no idea on what XFP or SFP+ is because you've been running a 
>> Gigabit based network and haven't made the jump to 10GE yet -

i've more 10G ports than you can shake a stick at actually…  my '?' was again,  
people debate this?  as the bit rates are verbatum,  the major difference which 
one would choose the other over from my understanding was distance to 
endpoint..  but again i could be wrong…  wishing now i didn't send anything.  8)


-g




--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

RE: Lightning Debates at NANOG 51

[George Bonser]

> They are meant to be informative. Maybe you have no idea on what XFP or
> SFP+ is because you've been running a Gigabit based network and haven't
> made the jump to 10GE yet - the debate might give you the top 3-5
> points on why each might be the right option for you. And then, of
> course, there is a fun factor.
> 
> Tom
> 

In most cases it isn't an option, you use what the hardware uses.  I can't 
decide to use an SFP+ in a unit with XFP form factor.  I select the hardware 
according to the features I need and then buy the optics it requires, I don't 
select the hardware based on the optics modules it uses.  The only drawback I 
have seen so far is finding ER optics in SFP+ form factor but they might be 
available now (I couldn't find them a year or so ago).

A good topic might be ipv6 migration strategies:  dual stack or native v6 with 
nat64/dns64

Re: Lightning Debates at NANOG 51

[Tom Daly]

Greg,

> forgive me,  but what is the difference between raised floor and
> underfloor?

Excuse me. Raised floor vs. overhead.

> > Ethernet: 40GE vs. 100GE
> 
> people are debating which is better?   really?

I'm sure someone has an opinion...

> > Optics: XFP vs. SFP+
> 
> ?
> 
> some interesting choices of things to debate..  are these serious
> debate sessions or more for fun?

They are meant to be informative. Maybe you have no idea on what XFP or SFP+ is 
because you've been running a Gigabit based network and haven't made the jump 
to 10GE yet - the debate might give you the top 3-5 points on why each might be 
the right option for you. And then, of course, there is a fun factor.

Tom

Re: Lightning Debates at NANOG 51

[Leo Bicknell]

I have a suggestion...

Nanog Mailing List: Critical Operational Content vs. Break time Amusement

*ducks*

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpQyNXAqnUNL.pgp
Description: PGP signature

Re: Lightning Debates at NANOG 51

[Greg Whynott]

> Cooling: Raised floor vs. Underfloor


forgive me,  but what is the difference between raised floor and underfloor?


>
> Ethernet: 40GE vs. 100GE

people are debating which is better?   really?



>
> Optics: XFP vs. SFP+

?

some interesting choices of things to debate..  are these serious debate 
sessions or more for fun?






--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Lightning Debates at NANOG 51

[Owen DeLong]

On Dec 7, 2010, at 11:20 AM, Tom Daly wrote:

> Folks,
> I've been tempted by the NANOG PC into trying to run some "Lightning Debates" 
> at NANOG 51 in Miami. The idea, similar to lighting talks, is a 30 minute 
> session, covering 3 debate topics, 10 minutes each. Each person would get 5 
> minutes to argue their side of the issue.
> 
> Some ideas so far:
> 
> UPS Systems: Battery vs. Flywheel
> 
Which side will be represented by the folks from 365 Main?

> Cooling: Raised floor vs. Underfloor
> 
What about overhead (which is the usual opposite to underfloor
which is the same as raised floor in most cases)

> Power: AC vs. DC
> 
I think this is more context sensitive and that a one-size fits all argument
on either side wouldn't make much sense.

> Ethernet: 40GE vs. 100GE
> 
ROFL

> Optics: XFP vs. SFP+
> 
This is a debate topic? Really?

> Address Families: IPv4 vs. IPv6
> 
Ooh... This one might be interesting.

Owen

Re: Abuse@ contacts

[Joe Greco]

> On Tue, Dec 07, 2010 at 04:39:54PM -, Gavin Pearce wrote:
> > How many of you (honestly) actively manage and respond to abuse@ contact
> > details listed in WHOIS? Or have had any luck with abuse@ contacts in
> > the past? Who's good and who isn't?
> 
> Inbound: wherever I am, I try to make it a point of emphasis that
> incoming mail to abuse very likely represent someone trying to help
> us by doing the job that we failed to do, and as such, it deserves
> very high priority, and -- if correct -- our gratitude.
> 
> Outbound: mixed.  I've had excellent response from academic institutions
> (most recently Indiana University) and from some commercial operations
> (e.g., mail.com).  I've had responses somewhere between "non-existent",
> "miserable", and "random" from major freemail providers.

Having watched this issue for years, I'll say that there's a large body
of good abuse desks you'll never need to talk to, because the very 
qualities that cause a network to host a responsive abuse desk are in
many cases the same things that drive engineering and other processes
that minimize the chances for abuse in the first place.  For the best
networks, the abuse desk exists entirely as a fire alarm, never meant
to receive any volume of meaningful complaints, because there should be
no abusive traffic originating.  This includes many corporate networks.

Middle ground are many schools, where policy is to run a clean network,
but practical realities of students and faculty result in some problems.
They truly appreciate abuse reports, because so few people bother to 
send them in this era, and doing so helps make the Internet a nicer 
place to be.  On the other hand, other schools have clearly given the
issue no thought, or don't wish to deal with the problems...

Commercial service providers are more of a mixed bag.  Many are very
clueful and want to run a clean network.  Others look at the abuse desk
as a money-losing black hole that serves mainly to cause customer churn.
Cheap webhosts and the like are typically under pressure to keep costs
low.  You may end up with an abuse desk that overreacts, or that doesn't
care until the volume of complaints becomes deafening.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Lightning Debates at NANOG 51

[Tom Daly]

Folks,
I've been tempted by the NANOG PC into trying to run some "Lightning Debates" 
at NANOG 51 in Miami. The idea, similar to lighting talks, is a 30 minute 
session, covering 3 debate topics, 10 minutes each. Each person would get 5 
minutes to argue their side of the issue.

Some ideas so far:

UPS Systems: Battery vs. Flywheel

Cooling: Raised floor vs. Underfloor

Power: AC vs. DC

Ethernet: 40GE vs. 100GE

Optics: XFP vs. SFP+

Address Families: IPv4 vs. IPv6

I'm soliciting panelists, and ideas. Please let me know if you're interested in 
participating in what will hopefully be a unique and exciting session.

Best,
Tom

-- 
Tom Daly
http://dyn.com/

Re: ARIN space not accepted

[Steven Bellovin]

On Dec 4, 2010, at 1:43 09AM, Kevin Oberman wrote:

>> From: valdis.kletni...@vt.edu
>>> From: valdis.kletni...@vt.edu
>> Date: Fri, 03 Dec 2010 20:00:15 -0500
>> 
>> On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said:
>> 
>>> It is speculated that no later than Q1, two more /8's will be allocated,
>>> triggering a policy that will give the remaining 5 /8's out to the
>>> RIR's.  That means, prior to end of Q1, the bogon list will be:
>>> 
>>> 0/8
>>> 10/8
>>> 127/8
>>> 172.16/12
>>> 192.168/16
>>> 224/3
>> 
>> Oh. And don't forget to do *bidirectional* filtering of these addresses. ;)
> 
> Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues
> if you accept multicast traffic from anyone.

Bidirectional blocking of traffic with source addresses in 224/3 -- that should 
never happen unless I badly misunderstand multicast.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Abuse@ contacts

[Rich Kulawiec]

On Tue, Dec 07, 2010 at 04:39:54PM -, Gavin Pearce wrote:
> How many of you (honestly) actively manage and respond to abuse@ contact
> details listed in WHOIS? Or have had any luck with abuse@ contacts in
> the past? Who's good and who isn't?

Inbound: wherever I am, I try to make it a point of emphasis that
incoming mail to abuse very likely represent someone trying to help
us by doing the job that we failed to do, and as such, it deserves
very high priority, and -- if correct -- our gratitude.

Outbound: mixed.  I've had excellent response from academic institutions
(most recently Indiana University) and from some commercial operations
(e.g., mail.com).  I've had responses somewhere between "non-existent",
"miserable", and "random" from major freemail providers.

---rsk

IP6.ARPA Nameserver Change Completed

[Joe Abley]

IP6.ARPA NAMESERVER CHANGE COMPLETED

This is a courtesy notification of a change to the nameserver set
for the IP6.ARPA zone.

There is no expected impact on the functional operation of the DNS
due to this change.

There are no actions required by DNS server operators or end users.

DETAIL

The IP6.ARPA zone is used to provide reverse mapping (number to
name) for IPv6, as described in  RFC 3596. The servers which
previously provided authoritative DNS service for the IP6.ARPA zone
were as follows:

  TINNIE.ARIN.NET
  NS-SEC.RIPE.NET
  NS2.LACNIC.NET
  SEC1.APNIC.NET
  NS.ICANN.ORG

As previously advised, processing began on Wednesday 2010-12-01 to
change the nameserver set to the following, as described in RFC
5855:

  A.IP6-SERVERS.ARPA (operated by ARIN)
  B.IP6-SERVERS.ARPA (operated by ICANN)
  C.IP6-SERVERS.ARPA (operated by AfriNIC)
  D.IP6-SERVERS.ARPA (operated by LACNIC)
  E.IP6-SERVERS.ARPA (operated by APNIC)
  F.IP6-SERVERS.ARPA (operated by RIPE NCC)

This change is now complete.

Regards,


Joe Abley
Director DNS Operations
ICANN

Re: Abuse@ contacts

[Jason Bertoch]

On 2010/12/07 11:39 AM, Gavin Pearce wrote:

How many of you (honestly) actively manage and respond to abuse@ contact
details listed in WHOIS? Or have had any luck with abuse@ contacts in
the past? Who's good and who isn't?


I answer our abuse@ address and file reports daily.  I get automated 
responses from the free providers, but have little faith they care 
enough to fix the problem.  RIPE regions seem to process reports with an 
attitude that they care, while LACNIC, AFRINIC, and Asian providers seem 
to ignore all reports if you can even find a working abuse@ contact. 
Smaller providers in the ARIN region also seem to do a good job.


--
/Jason



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Abuse@ contacts

[Wayne Lee]

>> How many of you (honestly) actively manage and respond to abuse@ contact
>> details listed in WHOIS? Or have had any luck with abuse@ contacts in
>> the past? Who's good and who isn't?
>
> I answer ours, and I've sent a few abuse complaints (sometimes in error...)
> I haven't kept count, but I'd say I get an answer at least 50% of the time.

My support team and I always answer ours. The only mail auto deleted
is when the person contacting us actually tried to send us a copy of
the virus they received. Damn they got all pissed when the mail was
auto dropped.



Wayne

Re: Abuse@ contacts

[Daniel Seagraves]

On Dec 7, 2010, at 10:39 AM, Gavin Pearce wrote:

> After a weekend of heavy spam last month, we decided to fire some
> reports over to the abuse contacts for each relevant IP or domain - some
> US/Europe based, others from more "obscure" locations.
> 
> We've not had a reply from any of the reports sent over, other than some
> automated bounces. Each report from us contained detailed information
> about IP, date, headers, spam content, relevant ranges etc ... 
> 
> How many of you (honestly) actively manage and respond to abuse@ contact
> details listed in WHOIS? Or have had any luck with abuse@ contacts in
> the past? Who's good and who isn't?

I answer ours, and I've sent a few abuse complaints (sometimes in error...)
I haven't kept count, but I'd say I get an answer at least 50% of the time.

Re: Abuse@ contacts

[Simon Waters]

> Or have had any luck with abuse@ contacts in
> the past? Who's good and who isn't?

http://www.rfc-ignorant.org/tools/submit_form.php?table=abuse

Darwin becomes home to first multicast mesh network

[Marshall Eubanks]

Does anyone know if this is actually an IP multicast mesh network, and, if so, 
anything about its protocols and deployment experience ?

Regards
Marshall

http://www.computerworld.com.au/article/370450/darwin_becomes_home_first_multicast_mesh_network/

Darwin has become home to the first multicast mesh network in Australia after 
the installation of an $8 million 109 camera CCTV self-healing wireless network.

The project, set up to manage six square kilometres of Darwin's CBD, began 
after the NT Police, Fire and Emergency Services Department awarded the 
contract to Darwin-based security company, Security and Technology Services 
(STS).

Managing 109 closed circuit TV cameras initially proved troublesome for the NT 
Police, which often experienced power outages resulting from lightning strikes 
as well as the transmission of high definition video streams from cameras to 
three police stations and a fourth remote storage facility.

Adelaide based network company MIMP was chosen by STS to deliver a highly 
redundant, high performance 128-bit data encrypted wireless network to 
integrate Darwin’s central camera system.-- 

Abuse@ contacts

[Gavin Pearce]

Hello,

 

After a weekend of heavy spam last month, we decided to fire some
reports over to the abuse contacts for each relevant IP or domain - some
US/Europe based, others from more "obscure" locations.

 

We've not had a reply from any of the reports sent over, other than some
automated bounces. Each report from us contained detailed information
about IP, date, headers, spam content, relevant ranges etc ... 

 

How many of you (honestly) actively manage and respond to abuse@ contact
details listed in WHOIS? Or have had any luck with abuse@ contacts in
the past? Who's good and who isn't?

 

Apologies in advance if this has been around before - I'm new here.   (:

 

Gav

 

 

 

 

 

 

 

Re: Pointer for documentation on actually delivering IPv6

[Joel Jaeggli]

On 12/7/10 5:18 AM, david raistrick wrote:
> On Mon, 6 Dec 2010, Owen DeLong wrote:
> 
>> Seriously, though, you're welcome to use fd00::/8 for exactly that
>> purpose. The problem is that you (and hopefully it stays this way)
>> won't have much luck finding a vendor that will provide the NAT for
>> you to do it with.
> 
> [with my flame-retardant hat installed firmly]
> 
> So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the
> use of RFC1918 space?  Admitedly, it's been a year or two since I last
> had to engineer around that particular set of rules...but it's life or
> death for a lot of folks.

Document a compensating control...

That particular case is trivial to demonstrate that the in scope
addresses are not exposed to the internet.

> 
> 
> -- 
> david raistrickhttp://www.netmeister.org/news/learn2quote.html
> dr...@icantclick.org http://www.expita.com/nomime.html
> 
> 

Re: Pointer for documentation on actually delivering IPv6

[Owen DeLong]

On Dec 7, 2010, at 6:05 AM, Chuck Anderson wrote:

> On Tue, Dec 07, 2010 at 08:18:31AM -0500, david raistrick wrote:
>> On Mon, 6 Dec 2010, Owen DeLong wrote:
>> 
>>> Seriously, though, you're welcome to use fd00::/8 for exactly that  
>>> purpose. The problem is that you (and hopefully it stays this way) 
>>> won't have much luck finding a vendor that will provide the NAT for you 
>>> to do it with.
>> 
>> [with my flame-retardant hat installed firmly]
>> 
>> So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the  
>> use of RFC1918 space?  Admitedly, it's been a year or two since I last 
>> had to engineer around that particular set of rules...but it's life or 
>> death for a lot of folks.
> 
> Simple.  Use RFC1918 IPv4 along side global IPv6 addresses.  Done :-)

1.  PCI allows for equivalent effective security. IPv6 privacy addresses
actually meet that test, among other possible solutions.

2.  I believe there is work underway to correct some of the specious
requirements in PCI DSS, among which this is one.

Owen

Re: Pointer for documentation on actually delivering IPv6

[Chuck Anderson]

On Tue, Dec 07, 2010 at 08:18:31AM -0500, david raistrick wrote:
> On Mon, 6 Dec 2010, Owen DeLong wrote:
>
>> Seriously, though, you're welcome to use fd00::/8 for exactly that  
>> purpose. The problem is that you (and hopefully it stays this way) 
>> won't have much luck finding a vendor that will provide the NAT for you 
>> to do it with.
>
> [with my flame-retardant hat installed firmly]
>
> So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the  
> use of RFC1918 space?  Admitedly, it's been a year or two since I last 
> had to engineer around that particular set of rules...but it's life or 
> death for a lot of folks.

Simple.  Use RFC1918 IPv4 along side global IPv6 addresses.  Done :-)

RE: ipfix/netflow/sflow generator for Linux

[Thomas York]

I just retested nprobe and it has the same issue as most of the other tools.
It doesn't specify the InputInt and OutputInt properly. Yes, you can
statically set it but that will drastically skew the data in this
environment. I'm not against running multiple processes, I've just not found
a product that runs using multiple processes that does what I need to. 

 

I just noticed the ntop version in EPEL is fairly old, so I'll try to
compile the latest myself and see if it's more stable.

 

Also, FYI to anyone who is interested in this, I've opened a support ticket
with ipcad to fix the interface numbering issue.

 

http://tinyurl.com/32pjyfa

 

 

From: packetmon...@gmail.com [mailto:packetmon...@gmail.com] On Behalf Of
Darren Bolding
Sent: Monday, December 06, 2010 8:57 PM
To: Thomas York
Subject: Re: ipfix/netflow/sflow generator for Linux

 

We've used nprobe with good success, passing the flows to ntop, nfsen etc.

 

nProbe supports specifying the interface- so yes, you would have to run
multiple processes, but I believe it would work.

 

We went ahead and purchased the PF_RING driver as it significantly improved
the capture performance of our systems.

 

I'm assuming since you tried it, you really don't want to fire up a separate
process for each interface?  I'd love to hear what you thought about the
various tools and what you end up deciding on.

 

For us, we collect the data using nprobe and have had no problem getting
ntop to stably analyze those flows when pointed to it.  NFSEN is pretty damn
cool also.  We point various nprobe, netflow, sflow data at it with good
effect.

 

--D

On Mon, Dec 6, 2010 at 11:15 AM, Thomas York  wrote:

At my current place of work, we use all Linux routers. I need to do some IP
accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer
can use netstream, jstream, ipfix, netflow, and sflow data without qualms.
My only issue is that I can't seem to find any good software for Linux that
works with multiple interfaces to generate the flow information. I've tried
ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of
the software only works on one interface (which is useless as I need to do
accounting for numerous interfaces).



I've had the best luck with ipcad. The only thing that seems to not work
with it is that it doesn't correctly give the interface number in the flow
information. It refers to all interfaces as interface 65535. I've tried the
config option for ipcad to map an interface directly to an SNMP interface
ID, but that option of the config file seems to be ignored.



Ntop functionally does exactly what I need, but it's extremely buggy. It
segfaults after a few minutes, regardless of Linux distro or Ntop version.
So..any ideas on what I can do to get good flow information from our Linux
routers?




-- 
--  Darren Bolding  --
--  dar...@bolding.org   --

Re: Pointer for documentation on actually delivering IPv6

[david raistrick]

On Mon, 6 Dec 2010, Owen DeLong wrote:

Seriously, though, you're welcome to use fd00::/8 for exactly that 
purpose. The problem is that you (and hopefully it stays this way) won't 
have much luck finding a vendor that will provide the NAT for you to do 
it with.


[with my flame-retardant hat installed firmly]

So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the 
use of RFC1918 space?  Admitedly, it's been a year or two since I last had 
to engineer around that particular set of rules...but it's life or death 
for a lot of folks.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html