Re: random dns queries with random sources
Hello everyone I can see such crap traffic from over couple of weeks now but yes it appeared all of sudden and I was also wondering if I am alone experiencing it. 2014-02-19 14:30 GMT+08:00 Joe Maimon jmai...@ttec.com: Dobbins, Roland wrote: On Feb 19, 2014, at 1:07 PM, Joe Maimon jmai...@ttec.com wrote: There are ways to deal with it on resolvers as well, like RRL and IDS and iptables None of these things work well for recursive resolvers; they cause more problems than they solve. Whatever I am doing appears to be working, at least until this cropped up. Joe -- Anurag Bhatia anuragbhatia.com Linkedin http://in.linkedin.com/in/anuragbhatia21 | Twitterhttps://twitter.com/anurag_bhatia Skype: anuragbhatia.com PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
Re: random dns queries with random sources
Premature send - I meant to add 'Or against the authoritative servers for 5kkx.com?' We've been seeing a spate of reflected (not amplified) DNS attacks against various authoritative servers in Europe for the past week or so, bounced through some type of consumer DSL broadband CPE with an open DNS forwarded on the WAN interface (don't know the make/model, but it was supplied by the broadband operators to the customers), on some European broadband access networks. Pretty clearly an attack against various authoritative servers. Right now I'm seeing attacks against the following domains / name servers: comedc.com NS f1g1ns1.dnspod.net vip1.zndns.com v1s1.xundns.com jd176.com NS ns{1,2}.dnsabc-g.com x7ok.comNS safe.qycn.{com,org,net,cn} bdhope.com NS ns{1,2}.dnsabc-b.com yg521.com NS dns{1,2,3,4,5,6}.iidns.com 56bj56.com NS ns{1,2}.dnsabc-f.com This is all detected in AS 2116 - unfortunately we have our share of customers with open resolvers / broadband routers with DNS proxies open towards the WAN side. Steinar Haug, AS 2116
Re: random dns queries with random sources
It has been ongoing for a week or so (but not constant). The domain names have a pattern but are comprised of components that appear to be randomly generated. The source IP addresses for the queries appear to be non duplicated and randomly generated. query logs are available for unicasting to the interested. Has nobody else seen this? We've seen it. It is pretty clearly an attack against authoritative name servers for various domains, using open recursors or proxies to reflect the queries. Steinar Haug, AS 2116
RE: GEO location issue with google
Hi Heather, Thanks you very much for sorting out this issue. Praveen Unnikrishnan Network Engineer PMGC Technology Group Ltd T: 020 3542 6401 M: 07827921390 F: 087 1813 1467 E: p...@pmgroupuk.commailto:p...@pmgroupuk.com [cid:image004.png@01CF2D72.C52965E0] [cid:image002.jpg@01CE1663.96B300D0] www.pmgroupuk.comhttp://www.pmgroupuk.com/ | www.pmgchosting.com http://www.pmgchosting.com/ How am I doing? Contact my manager, click heremailto:sha...@pmgroupuk.com?subject=How's%20Praveen%20doing?. [cid:image003.jpg@01CE1663.96B300D0] PMGC Managed Hosting is now live! After a successful 2012, PMGC continues to innovate and develop by offering tailored IT solutions designed to empower you through intelligent use of technologies. www.pmgchosting.comhttp://www.pmgchosting.com/. PMGC Technology Group Limited is a company registered in England and Wales. Registered number: 7974624 (3/F Sutherland House, 5-6 Argyll Street, London. W1F 7TE). This message contains confidential (and potentially legally privileged) information solely for its intended recipients. Others may not distribute copy or use it. If you have received this communication in error please contact the sender as soon as possible and delete the email and any attachments without keeping copies. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company or its associated companies unless otherwise specifically stated. All incoming and outgoing e-mails may be monitored in line with current legislation. It is the responsibility of the recipient to ensure that emails are virus free before opening. PMGC® is a registered trademark of PMGC Technology Group Ltd. From: Heather Schiller [mailto:h...@google.com] Sent: 13 February 2014 05:43 To: Praveen Unnikrishnan Cc: nanog@nanog.org Subject: Re: GEO location issue with google Reported to the appropriate folks. Going to www.google.co.ukhttp://www.google.co.uk directly, should return you English language results. Appending /en to the end of a google url should also return you English language results. You should also be able to set your language preference in your search settings. --Heather On Fri, Feb 7, 2014 at 10:20 AM, Praveen Unnikrishnan p...@pmgroupuk.commailto:p...@pmgroupuk.com wrote: Hi, We are an ISP based in UK. We have got an ip block from RIPE which is 5.250.176.0/20http://5.250.176.0/20. All the main search engines like yahoo shows we are based in UK. But Google thinks we are from Saudi Arabia and we redirected to www.google.com.sahttp://www.google.com.sahttp://www.google.com.sa instead of googlw.co.ukhttp://googlw.co.uk. I have sent lot of emails to google but no luck. All the information from google are in Arabic and youtube shows some weird videos as well. Could anyone please help me to sort this out? Would be much appreciated for your time. Praveen Unnikrishnan Network Engineer PMGC Technology Group Ltd T: 020 3542 6401 M: 07827921390 F: 087 1813 1467 E: p...@pmgroupuk.commailto:p...@pmgroupuk.commailto:p...@pmgroupuk.commailto:p...@pmgroupuk.com [cid:image001.png@01CF2418.27F29CA0] [cid:image002.jpg@01CE1663.96B300D0] www.pmgroupuk.comhttp://www.pmgroupuk.comhttp://www.pmgroupuk.com/ | www.pmgchosting.comhttp://www.pmgchosting.com http://www.pmgchosting.com/ How am I doing? Contact my manager, click heremailto:sha...@pmgroupuk.commailto:sha...@pmgroupuk.com?subject=How's%20Praveen%20doing?. [cid:image003.jpg@01CE1663.96B300D0] PMGC Managed Hosting is now live! After a successful 2012, PMGC continues to innovate and develop by offering tailored IT solutions designed to empower you through intelligent use of technologies. www.pmgchosting.comhttp://www.pmgchosting.comhttp://www.pmgchosting.com/. PMGC Technology Group Limited is a company registered in England and Wales. Registered number: 7974624 (3/F Sutherland House, 5-6 Argyll Street, London. W1F 7TE). This message contains confidential (and potentially legally privileged) information solely for its intended recipients. Others may not distribute copy or use it. If you have received this communication in error please contact the sender as soon as possible and delete the email and any attachments without keeping copies. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company or its associated companies unless otherwise specifically stated. All incoming and outgoing e-mails may be monitored in line with current legislation. It is the responsibility of the recipient to ensure that emails are virus free before opening. PMGC(r) is a registered trademark of PMGC Technology Group Ltd. inline: image002.jpginline: image003.jpginline: image004.png
Re: spamassassin
Daniel is correct, he gets a cookie! The the others: please learn to recognize when you have no clue. We've been having the same problem here for the last three days. I tracked it down to BAYES_999. Glad to see other people are suffering as much as I am. :) Simon Le 2014-02-19 01:46, Daniel Staal a écrit : --As of February 19, 2014 9:52:57 AM +0800, Randy Bush is alleged to have said: in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim. clue? --As for the rest, it is mine. The spamassassin list has been tracking an issue where a new rule made it out of the testbox accidentally, which lowers scores on a lot of spam. It wasn't in the sample you provided, but the rule name is BAYES_999 - it catches mail that the bayes filter thinks is 99.9-100% sure to be spam. As it got promoted prematurely, it's showing with a score of 1.0. (The default.) It's probably a part of your problem. A fix should be in the rules update today or tomorrow - or you can rescore it to the same as BAYES_99 (someplace in the 3 range by default, I believe). That's what used to catch that mail: it used to mean 99-100%, and now means 99-99.9%. More info can be found in the mailing list archives for the spamassassin list. Daniel T. Staal -- DTN made easy, lean, and smart -- http://postellation.viagenie.ca NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca STUN/TURN server -- http://numb.viagenie.ca
RE: random dns queries with random sources
I am late to this train, but it appears no one else has brought this up. It is a DNS tunneling setup, not an attack. I have been dealing with one of these lately as well. They were using some open resolvers in my network to reflect, but the random hostnames in the queries are tunneled traffic or keywords. The original sources of the traffic are probably members of a botnet, and this is being used as a sneaky CC method. Due to the tiny amount of data you can send in the DNS query name field, this will sort of look like an attack, because they have to send thousands of queries to get anything done. They are not attacking the authoritative name servers in those domains, as has been suggested, rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. Davis Beeman Network Security Engineer -Original Message- From: Joe Maimon [mailto:jmai...@ttec.com] Sent: Tuesday, February 18, 2014 19:08 To: North American Networking and Offtopic Gripes List Subject: random dns queries with random sources Hey all, DNS amplification spoofed source attacks, I get that. I even thought I was getting mitigation down to acceptable levels. But now this. At different times during the previous days and on different resolvers, routers with proxy turned on, etc... Thousand of queries with thousands of source ip addresses. According to my logs, sources are not being repeated (or not with any significant frequency) What is the purpose of this? 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: swe.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: uehkaiy.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: query: yqv.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: query: e.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: bfpofpj.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: query: aocdesguijxym.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: query: ebb.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: query: l.5kkx.com IN A + (66.199.132.7)
Re: random dns queries with random sources
On Feb 19, 2014, at 10:57 PM, Beeman, Davis davis.bee...@integratelecom.com wrote: I am late to this train, but it appears no one else has brought this up. It is a DNS tunneling setup, not an attack. This makes a lot of sense - good insight, will look into this further! --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: random dns queries with random sources
Le 2014-02-19 11:28, Dobbins, Roland a écrit : I am late to this train, but it appears no one else has brought this up. It is a DNS tunneling setup, not an attack. This makes a lot of sense - good insight, will look into this further! I use this for free wi-fi in airports and such: http://code.kryo.se/iodine/ If the wi-fi is configured to use an open resolver, we end up with the situation you describe. Simon -- DTN made easy, lean, and smart -- http://postellation.viagenie.ca NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca STUN/TURN server -- http://numb.viagenie.ca
Re: random dns queries with random sources
Or if you tell your bots to use a set of open resolvers, it helps hide them by a step. On Wed, Feb 19, 2014 at 8:32 AM, Simon Perreault simon.perrea...@viagenie.ca wrote: Le 2014-02-19 11:28, Dobbins, Roland a écrit : I am late to this train, but it appears no one else has brought this up. It is a DNS tunneling setup, not an attack. This makes a lot of sense - good insight, will look into this further! I use this for free wi-fi in airports and such: http://code.kryo.se/iodine/ If the wi-fi is configured to use an open resolver, we end up with the situation you describe. Simon -- DTN made easy, lean, and smart -- http://postellation.viagenie.ca NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca STUN/TURN server -- http://numb.viagenie.ca
Deadline Approaching [was: Ad Hoc BCOP Committee - Call for Volunteers]
Hello again NANOGers, FYI - The deadline for BCOP committee nominations is 28 February. We have received several great candidates already and are hoping to receive several more! If you are interested in joining this grassroots effort to make the Internet a safer, more predictable place (or know someone who should) - please send an email with a brief bio to be...@nanog.org ASAP. We'll be kicking off committee calls in early March! =) Thanks! ~Chris On Fri, Jan 31, 2014 at 1:56 PM, Chris Grundemann cgrundem...@gmail.comwrote: Hail NANOGers! Per approval of the NANOG Board in February 2013, a community effort to develop a NANOG sponsored regional BCOP effort was engaged. NANOG BCOP Tracks and updates were provided at RIPE, ARIN, NANOG 57, 58, and 59. In November of 2013, sufficient interest and momentum in the NANOG BCOP effort emerged. On November 21, 2013, the NANOG Board approved the appointment of an Ad Hoc Committee Chair who would report to the Board and direct the efforts of NANOG-BCOP. I have agreed to serve as Chair and am now seeking volunteers to continue with the important work of the committee. Please consider volunteering your time and effort in support of this important NANOG activity! To help guide you, please review the following committee expectations: Strategies and Goals: * Support an open, transparent, and bottom-up/grassroots process for the creation of current and living practical network operation documentation * Facilitate the development of mutually rewarding documents and guides * Maintain the sense of community and accessibility in BCOP materials * Develop and deploy a portfolio of guides that meet the needs of the broad range of NANOG operators Deliverables: * Responsible for recruiting a minimum of 1 shepard per calendar year. * Responsible for recruiting a minimum of 1 author per calendar year. * Required to attend at least 75% of all scheduled committee calls. * Expected to attend 66% of all NANOG meetings over the course of your two-year term. * A BCOP Ad Hoc Committee Member is expected to volunteer up to 10 hours in the 12 weeks Leading into a NANOG meeting and an additional 15 hours all year round Also see the website at http://bcop.nanog.org for more information. If you are interested in participating, please send your short bio to Betty Burke, NANOG Executive Director, be...@nanog.org. Betty can also answer any and all questions you may have. Betty or I will be sure to follow-up with each volunteer and get our important work underway as soon as possible. Cheers, ~Chris -- @ChrisGrundemann http://chrisgrundemann.com -- @ChrisGrundemann http://chrisgrundemann.com
Re: random dns queries with random sources
Beeman, Davis wrote: rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. Davis Beeman Network Security Engineer Somebody must be registering these domain names. And I should be able to compile a list of the auth servers in question. Joe
RE: random dns queries with random sources
They are, and dropping them just as fast. It seems like the last a day or two, and then move on to another domain name. They are similar enough that the bots probably work off a formula to determine valid requests. It may be a coincidence, if you believe in those, but this type of CC traffic started ramping up wildly about a month after the ZeroAccess servers got blocked... Davis Beeman | Network Security Engineer | 360.816.3052 Integra -Original Message- From: Joe Maimon [mailto:jmai...@ttec.com] Sent: Wednesday, February 19, 2014 08:59 To: Beeman, Davis; North American Networking and Offtopic Gripes List Subject: Re: random dns queries with random sources Beeman, Davis wrote: rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. Davis Beeman Network Security Engineer Somebody must be registering these domain names. And I should be able to compile a list of the auth servers in question. Joe
Looking for an Amazon EC2 East Contact
Seeing pretty consistent packet loss to/from instances in EC2 East (54.80 IPs) from various vantage points. Working through normal support channels, but looking for a contact to help expedite. Thanks, Ray
VMware Training
Not sure if this list is the best place, but it is probably the only list that I'm on that won't give me a bunch of grief about the chosen technology. I looked at VMware's site, and there are a ton of options. I'm wondering if anyone has some basic suggestions or experiences. I'm a Linux admin by trade (RH based), with ok networking ability. I'm sufficiently versed in deploying scripted ESXi (including 5.x) installations for a specific environment, including vswitches/SAN config (but only with NFS datastores backed by a NetApp, unfortunately, no blockbased stores). I'd like to get experience deploying VCenter clusters, down to DRS/HA config, other block based storage, and anything else a large environment needs. Thoughts or experiences? -- _ Phil Gardner PGP Key ID 0xFECC890C OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
Re: VMware Training
On Wed, Feb 19, 2014 at 8:14 PM, Phil Gardner phil.gardne...@gmail.comwrote: Not sure if this list is the best place, but it is probably the only list that I'm on that won't give me a bunch of grief about the chosen technology. I looked at VMware's site, and there are a ton of options. I'm wondering if anyone has some basic suggestions or experiences. I'm a Linux admin by trade (RH based), with ok networking ability. I'm sufficiently versed in deploying scripted ESXi (including 5.x) installations for a specific environment, including vswitches/SAN config (but only with NFS datastores backed by a NetApp, unfortunately, no blockbased stores). If you want block storage, just export an iSCSI device to the ESXi machines (tgtadm on RedHat is all you need and a few gigs of free space). VMFS is cluster aware so you can export the same volume to independent ESXi hosts and as long you don't access the same files, you're good to go. I'd like to get experience deploying VCenter clusters, down to DRS/HA config, other block based storage, and anything else a large environment needs. All you need is licenses (Enterprise Plus to get all the nice features) and a vCenter server. If you already have it, just create a new cluster and follow the prompts in the wizards and play with all the options. Thoughts or experiences? When I first started with this it seemed like rocket science, but once you create a cluster and do DRS/HA/dvSwitch/etc it's all pretty basic: - HA in VMware means that if a host fails, the VMs will be restarted on a different host. - DRS it means automated live migration of virtual machines based on load. - dvSwitch is a distributed virtual switch whereby you have a consistent configuration across the hosts that you configure from the vCenter server. If you know RedHat, than from experience in a few days you can learn the ins/outs of how a VMware cluster works. With ESXi 5.1+ you can run ESXi inside an ESXi host so if you have a lot of memory on a host you can create your own little lab with all the features and experiment with them. If you want to certify, than official training is a mandatory requirement. HTH, Eugeniu
Re: VMware Training
Hey Phil, I recently did the VCP certification/course through VMWare however I was working with the technology over the past 5 years. Based off your desire to gain experience with it, my recommendation is to load up VMware Workstation on your computer and deploy ESXi instances as the guests. This is a cost feasible and although performance won't be production grade, you have the ability to play with clusters, DRS/HA config, OpenSAN (for your block based storage), etc. There is a myriad of training docs available but if you do want the certification itself, you'll have to go through the official course(s). Cheers, Matt Chung On Wed, Feb 19, 2014 at 12:14 PM, Phil Gardner phil.gardne...@gmail.comwrote: Not sure if this list is the best place, but it is probably the only list that I'm on that won't give me a bunch of grief about the chosen technology. I looked at VMware's site, and there are a ton of options. I'm wondering if anyone has some basic suggestions or experiences. I'm a Linux admin by trade (RH based), with ok networking ability. I'm sufficiently versed in deploying scripted ESXi (including 5.x) installations for a specific environment, including vswitches/SAN config (but only with NFS datastores backed by a NetApp, unfortunately, no blockbased stores). I'd like to get experience deploying VCenter clusters, down to DRS/HA config, other block based storage, and anything else a large environment needs. Thoughts or experiences? -- _ Phil Gardner PGP Key ID 0xFECC890C OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538 -- -Matt Chung
Re: VMware Training
- Original Message - From: Eugeniu Patrascu eu...@imacandi.net If you want block storage, just export an iSCSI device to the ESXi machines (tgtadm on RedHat is all you need and a few gigs of free space). VMFS is cluster aware so you can export the same volume to independent ESXi hosts and as long you don't access the same files, you're good to go. My understanding of cluster-aware filesystem was can be mounted at the physical block level by multiple operating system instances with complete safety. That seems to conflict with what you suggest, Eugeniu; am I missing something (as I often do)? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
random dns queries with random sources
Davis, Having seen this in the past, and managing both open resolvers and authoritative servers for several large eyeball networks, I think your assumption is correct this definitely smells like CC traffic being handled via DNS. Just my 2c - YMMV - All sales final, As is - Dale Rumph - Network Engineer/Security Consultant On Feb 19, 2014 10:58 AM, Beeman, Davis davis.bee...@integratelecom.com wrote: I am late to this train, but it appears no one else has brought this up. It is a DNS tunneling setup, not an attack. I have been dealing with one of these lately as well. They were using some open resolvers in my network to reflect, but the random hostnames in the queries are tunneled traffic or keywords. The original sources of the traffic are probably members of a botnet, and this is being used as a sneaky CC method. Due to the tiny amount of data you can send in the DNS query name field, this will sort of look like an attack, because they have to send thousands of queries to get anything done. They are not attacking the authoritative name servers in those domains, as has been suggested, rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. Davis Beeman Network Security Engineer -Original Message- From: Joe Maimon [mailto:jmai...@ttec.com] Sent: Tuesday, February 18, 2014 19:08 To: North American Networking and Offtopic Gripes List Subject: random dns queries with random sources Hey all, DNS amplification spoofed source attacks, I get that. I even thought I was getting mitigation down to acceptable levels. But now this. At different times during the previous days and on different resolvers, routers with proxy turned on, etc... Thousand of queries with thousands of source ip addresses. According to my logs, sources are not being repeated (or not with any significant frequency) What is the purpose of this? 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: swe.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: uehkaiy.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: query: yqv.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: query: e.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: bfpofpj.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: query: aocdesguijxym.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: query: ebb.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: query: l.5kkx.com IN A + (66.199.132.7)
Re: random dns queries with random sources
Joe Maimon wrote: What is the purpose of this? It may be an experiment that rate limiting is useless to suppress amplification against attacks simultaneously on many targets. A better protection should be to shutdown secure DNS, which is not very secure. Masataka Ohta
Re: GEO location issue with google
For future reference, the last time this issue came up someone said doing this was a good way to get their geo stuff fixed automatically: http://tools.ietf.org/html/draft-google-self-published-geofeeds-02 I haven't messed with it yet, but it seems like a good idea. I want to write something that lets me export this from our IPAM but I've been busy and it isn't a problem for us at the moment. Thanks, Robert On 2/19/2014 8:02 AM, Praveen Unnikrishnan wrote: Hi Heather, Thanks you very much for sorting out this issue. Praveen Unnikrishnan Network Engineer PMGC Technology Group Ltd T: 020 3542 6401 M: 07827921390 F: 087 1813 1467 E: p...@pmgroupuk.commailto:p...@pmgroupuk.com [cid:image004.png@01CF2D72.C52965E0] [cid:image002.jpg@01CE1663.96B300D0] www.pmgroupuk.comhttp://www.pmgroupuk.com/ | www.pmgchosting.com http://www.pmgchosting.com/ How am I doing? Contact my manager, click heremailto:sha...@pmgroupuk.com?subject=How's%20Praveen%20doing?. [cid:image003.jpg@01CE1663.96B300D0] PMGC Managed Hosting is now live! After a successful 2012, PMGC continues to innovate and develop by offering tailored IT solutions designed to empower you through intelligent use of technologies. www.pmgchosting.comhttp://www.pmgchosting.com/. PMGC Technology Group Limited is a company registered in England and Wales. Registered number: 7974624 (3/F Sutherland House, 5-6 Argyll Street, London. W1F 7TE). This message contains confidential (and potentially legally privileged) information solely for its intended recipients. Others may not distribute copy or use it. If you have received this communication in error please contact the sender as soon as possible and delete the email and any attachments without keeping copies. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company or its associated companies unless otherwise specifically stated. All incoming and outgoing e-mails may be monitored in line with current legislation. It is the responsibility of the recipient to ensure that emails are virus free before opening. PMGC® is a registered trademark of PMGC Technology Group Ltd. From: Heather Schiller [mailto:h...@google.com] Sent: 13 February 2014 05:43 To: Praveen Unnikrishnan Cc: nanog@nanog.org Subject: Re: GEO location issue with google Reported to the appropriate folks. Going to www.google.co.ukhttp://www.google.co.uk directly, should return you English language results. Appending /en to the end of a google url should also return you English language results. You should also be able to set your language preference in your search settings. --Heather On Fri, Feb 7, 2014 at 10:20 AM, Praveen Unnikrishnan p...@pmgroupuk.commailto:p...@pmgroupuk.com wrote: Hi, We are an ISP based in UK. We have got an ip block from RIPE which is 5.250.176.0/20http://5.250.176.0/20. All the main search engines like yahoo shows we are based in UK. But Google thinks we are from Saudi Arabia and we redirected to www.google.com.sahttp://www.google.com.sahttp://www.google.com.sa instead of googlw.co.ukhttp://googlw.co.uk. I have sent lot of emails to google but no luck. All the information from google are in Arabic and youtube shows some weird videos as well. Could anyone please help me to sort this out? Would be much appreciated for your time. Praveen Unnikrishnan Network Engineer PMGC Technology Group Ltd T: 020 3542 6401 M: 07827921390 F: 087 1813 1467 E: p...@pmgroupuk.commailto:p...@pmgroupuk.commailto:p...@pmgroupuk.commailto:p...@pmgroupuk.com [cid:image001.png@01CF2418.27F29CA0] [cid:image002.jpg@01CE1663.96B300D0] www.pmgroupuk.comhttp://www.pmgroupuk.comhttp://www.pmgroupuk.com/ | www.pmgchosting.comhttp://www.pmgchosting.com http://www.pmgchosting.com/ How am I doing? Contact my manager, click heremailto:sha...@pmgroupuk.commailto:sha...@pmgroupuk.com?subject=How's%20Praveen%20doing?. [cid:image003.jpg@01CE1663.96B300D0] PMGC Managed Hosting is now live! After a successful 2012, PMGC continues to innovate and develop by offering tailored IT solutions designed to empower you through intelligent use of technologies. www.pmgchosting.comhttp://www.pmgchosting.comhttp://www.pmgchosting.com/. PMGC Technology Group Limited is a company registered in England and Wales. Registered number: 7974624 (3/F Sutherland House, 5-6 Argyll Street, London. W1F 7TE). This message contains confidential (and potentially legally privileged) information solely for its intended recipients. Others may not distribute copy or use it. If you have received this communication in error please contact the sender as soon as possible and delete the email and any attachments without keeping copies. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company or its associated companies unless otherwise specifically
NTP DRDos Blog post
Folks, I just posted http://nwtime.org/ntp-winter-2013-network-drdos-attacks/ . In general we've never allowed comments to blog posts on that site; we're currently discussing if we should allow them for this post. I'd love to hear any feedback about the post. Thanks... -- Harlan Stenn st...@ntp.org http://networktimefoundation.org - be a member!
Re: spamassassin
Daniel is correct, he gets a cookie! The the others: please learn to recognize when you have no clue. simon, you just do not understand the purpose of the nanog list We've been having the same problem here for the last three days. I tracked it down to BAYES_999. Glad to see other people are suffering as much as I am. :) as the fix is not yet out, would be cool if someone with more fu than i posted a recipe to hack for the moment. randy
Re: spamassassin
Yo Randy! On Thu, 20 Feb 2014 10:48:49 +0800 Randy Bush ra...@psg.com wrote: We've been having the same problem here for the last three days. I tracked it down to BAYES_999. Glad to see other people are suffering as much as I am. :) as the fix is not yet out, would be cool if someone with more fu than i posted a recipe to hack for the moment. http://www.gossamer-threads.com/lists/spamassassin/users/183433 body BAYES_99 eval:check_bayes('0.99', '0.999') body BAYES_999 eval:check_bayes('0.999', '1.00') score BAYES_99 0 0 3.8 3.5 score BAYES_999 0 0 4.0 3.7 RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 g...@rellim.com Tel:+1(541)382-8588 signature.asc Description: PGP signature
Re: spamassassin
On 2/19/2014 6:48 PM, Randy Bush wrote: Daniel is correct, he gets a cookie! The the others: please learn to recognize when you have no clue. simon, you just do not understand the purpose of the nanog list We've been having the same problem here for the last three days. I tracked it down to BAYES_999. Glad to see other people are suffering as much as I am. :) as the fix is not yet out, would be cool if someone with more fu than i posted a recipe to hack for the moment. I found this config. block in the file 50_scores.cf and added the BAYES_999 entry: # make the Bayes scores unmutable (as discussed in bug 4505) ifplugin Mail::SpamAssassin::Plugin::Bayes score BAYES_00 0 0 -1.5 -1.9 score BAYES_05 0 0 -0.3 -0.5 score BAYES_20 0 0 -0.001 -0.001 score BAYES_40 0 0 -0.001 -0.001 score BAYES_50 0 0 2.00.8 score BAYES_60 0 0 2.51.5 score BAYES_80 0 0 2.72.0 score BAYES_95 0 0 3.23.0 score BAYES_99 0 0 3.83.5 score BAYES_999 0 0 4.03.9 endif -- Andris
Re: spamassassin
http://www.gossamer-threads.com/lists/spamassassin/users/183433 as blabby as nanog, and not really specific body BAYES_99 eval:check_bayes('0.99', '0.999') body BAYES_999 eval:check_bayes('0.999', '1.00') score BAYES_99 0 0 3.8 3.5 score BAYES_999 0 0 4.0 3.7 and this is a replacement for both 999 and 99? randy
Re: VMware Training
On Wed, Feb 19, 2014 at 12:14 PM, Phil Gardner phil.gardne...@gmail.comwrote: Seeing you are a Linux admin;VMware's prof. training offerings are basic point and click things, not very Linux-admin friendly; no advanced subjects or even CLI usage in Install, Configure, Manage. If you are already at the level of doing scripted ESXi installs and configuring hosts for SAN storage and networking according to VMware's best practices, then you should be able to work out the little that is left by reading the ample documentation and a few whitepapers,unless you need proof of completing a class as a certification pre-requisite. One way to get the extra experiences would be to start by putting together the simplest two-node or three node cluster you can muster; try various configurations, put it through its paces: make it break in every conceivable way, fix it There is almost nothing extra to do for DRS/HA config, other than to design the networking, storage, compute, and DNS properly to be resilient and support them. You literally just check a box to turn on DRS, and a box to turn on HA, select an admission policy, and select automation level and migration threshold. Of course, there are advanced options, and 'exotic' clusters where you need to know the magic option names. You may also need to specify additional isolation IP addresses, or tweak timeouts for VMware tools heartbeat monitoring, to cut down on unwanted false HA restarts. These are not things you will find in the training classes; you need to read the documentation and literature contained on various blogs --- it would probably be best to read some of Duncan Epping and Scott Lowe's books; if you have the time, and to further solidify understanding. Ultimately; you are not going to be able to do this realistically, without real servers comparable to the real world, so a laptop running ESXi may not be enough. You could also find a company to lease you some lab hours to tinker with other storage technology; i'm sure by now there are online cloud-based Rent-A-Labs with the EMC VNX/Dell Equallogic/HP storage hardware. vswitches/SAN config (but only with NFS datastores backed by a NetApp, unfortunately, Also... with uh... NetApp units running current software at least can very easily create an extra block-based lun on top of a volume, to be served out as a block target.You might want to ask your storage vendor support what it would take to get the keycode to turn on FC or iSCSI licenses, so you can present an extra 40gb scratch volume..Or you could download the Netapp simulator to play with :-O All the ESXi documentation is online, and all the relevant software has a 60-day evaluation grace period after install. You just need to work through it. Get things working in the lab, then start trying out more complicated scenarios and trying the advanced knobs later, read the installation directions; see how things work. Buying or scavenging a used server is probably easiest to do for long-term playing; look for something with 32GB of RAM, and 4 or more 2.5 SAS drives. Try to have 100GB of total disk space in a hardware RAID10 or RAID0 with 256MB or so controller writeback cache, or a SSD;the idea is to have enough space to install vCenter and operations manager and a few VMs. A 3 year old Dell 11G R610 or HP DL360 G6 likely falls into this category. Install ESXi on the server, andcreate 3 virtual machines that will be Nested ESXi servers; OS of the VMs will be ESXi. See: http://www.virtuallyghetto.com/2012/08/how-to-enable-nested-esxi-other.html If you would rather build a desktop tower for ESXi; look for a desktop motherboard with a 64-bit Intel Proc with DDR2 ECC Memory support in at least 32GB of RAM, VT-d support, and onboard Broadcom or Intel networking. Network controller and Storage controller choices are key; exotic hardware won't work Considering vCenter itself wants a minimum 12GB of RAM: in case you want to test out _both_ the vCenter virtual appliance, and the standard install on Windows about 32GB RAM is great. In competition against the VMware HCL, there's a white box HCL: http://www.vm-help.com/esx40i/esx40_whitebox_HCL.php I would look to something such as the Iomega Storcenter PX6, PX4 or Synology DS1512+ as an inexpensive shared storagesolution for playing around with iSCSI-based block targets. I think the Iomegas may be the least-cost physical arrays on the official Vmware HCL, with VAAI support. You can also use a virtual machine running on the local disks of your ESXi server to present shared storage, as another VM If you run your cluster's ESXi servers as nested virtual machines, on one server. Some software options are Linux... Nexenta FreeNAS... Open-e. HP Lefthand Isilon... FalconstorNutanix (I would look at the first 3 primarily) Or You can also use a spare
Re: spamassassin
On 02/19/14 22:22, Randy Bush wrote: http://www.gossamer-threads.com/lists/spamassassin/users/183433 as blabby as nanog, and not really specific body BAYES_99 eval:check_bayes('0.99', '0.999') body BAYES_999 eval:check_bayes('0.999', '1.00') score BAYES_99 0 0 3.8 3.5 score BAYES_999 0 0 4.0 3.7 and this is a replacement for both 999 and 99? You should be able to just whack it into local.cf and it'll override whatever other instances there are, Michael
Re: VMware Training
On Wed, Feb 19, 2014 at 2:06 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Eugeniu Patrascu eu...@imacandi.net [snip] My understanding of cluster-aware filesystem was can be mounted at the physical block level by multiple operating system instances with complete safety. That seems to conflict with what you suggest, Eugeniu; am I missing something (as I often do)? When one of the hosts has a virtual disk file open for write access on a VMFS cluster-aware filesystem,it is locked to that particular host, and a process on a different host is denied the ability write to the file, or even open the file for read access. Another host cannot even read/write metadata about the file's directory entry. Attempts to do so, get rejected with an error. So you don't really have to worry all that much about as long you don't access the same files, although: certainly you should not try to, either. Only the software in ESXi can access the VMFS --- there is no ability to run arbitrary applications. (Which is also, why I like NFS more than shared block storage; you can conceptually use the likes of a storage array feature such as FlexClone to makea copy-on-write clone of a file, take a storage level snapshot, and then do a granular restore ofa specific VM; without having to restore the entire volume as a unit. You can't pull that off with a clustered filesystem on a block target!) Also, the VMFS filesystem is cluster aware by method of exclusion (SCSI Reservations) and separate journaling. Metadata locks are global in the VMFS cluster-aware filesystem. Only one host is allowed to write to any of the metadata -on the entire volume a- time, unless you have VAAI VMFS extensions, and yourstorage vendor supports the ATS (atomic test and set), resulting in a performance bottleneck. For that reason, while VMFS is cluster aware, you cannot necessarily have a large number of cluster nodes, or more than a few dozen open files, before performance degrades due to the metadata bottleneck. Another consideration is that; in the event that you have a power outage which simultaneously impacts your storage array and all your hosts:you may very well be unable to regain access to any of your files, until the specific host that had that file locked comes back up, or you wait out a ~30 to ~60 minute timeout period. Cheers, -- jra -- -JH
Re: VMware Training
Why bother with a clustering FS, then, if you cannot actually /use it/ as one? - jra On February 19, 2014 10:44:22 PM EST, Jimmy Hess mysi...@gmail.com wrote: On Wed, Feb 19, 2014 at 2:06 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Eugeniu Patrascu eu...@imacandi.net [snip] My understanding of cluster-aware filesystem was can be mounted at the physical block level by multiple operating system instances with complete safety. That seems to conflict with what you suggest, Eugeniu; am I missing something (as I often do)? When one of the hosts has a virtual disk file open for write access on a VMFS cluster-aware filesystem,it is locked to that particular host, and a process on a different host is denied the ability write to the file, or even open the file for read access. Another host cannot even read/write metadata about the file's directory entry. Attempts to do so, get rejected with an error. So you don't really have to worry all that much about as long you don't access the same files, although: certainly you should not try to, either. Only the software in ESXi can access the VMFS --- there is no ability to run arbitrary applications. (Which is also, why I like NFS more than shared block storage; you can conceptually use the likes of a storage array feature such as FlexClone to makea copy-on-write clone of a file, take a storage level snapshot, and then do a granular restore ofa specific VM; without having to restore the entire volume as a unit. You can't pull that off with a clustered filesystem on a block target!) Also, the VMFS filesystem is cluster aware by method of exclusion (SCSI Reservations) and separate journaling. Metadata locks are global in the VMFS cluster-aware filesystem. Only one host is allowed to write to any of the metadata -on the entire volume a- time, unless you have VAAI VMFS extensions, and yourstorage vendor supports the ATS (atomic test and set), resulting in a performance bottleneck. For that reason, while VMFS is cluster aware, you cannot necessarily have a large number of cluster nodes, or more than a few dozen open files, before performance degrades due to the metadata bottleneck. Another consideration is that; in the event that you have a power outage which simultaneously impacts your storage array and all your hosts: you may very well be unable to regain access to any of your files, until the specific host that had that file locked comes back up, or you wait out a ~30 to ~60 minute timeout period. Cheers, -- jra -- -JH -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.